problem with ralabel and country code
Carter Bullard
carter at qosient.com
Sat Aug 29 16:52:15 EDT 2009
Hey Jean-Marc,
So you need to use the "-f /path/to/your/ralabel.conf". Without
this, ralabel() doesn't
know to add a country code?
Carter
On Aug 29, 2009, at 4:45 PM, jean-marc pouchoulon wrote:
> Helo ,
>
> I try these commands from http://osdir.com/ml/network.argus/2007-10/msg00002.html
> .
>
> ralabel -nnnR datadir -w - | racluster -m sco -w - | rasort -m
> bytes -s stime dur sco trans pkts bytes state
>
> but country code not seems to be append to the records and I get
> this one line result
>
> StartTime Flgs Proto sCo SrcAddr Sport Dir
> dCo DstAddr Dport TotPkts TotBytes State
> 00:00:00.000000 Ne ip ZZ 0.0.0.0 ->
> ZZ 0.0.0.0 2574989 1070763217 INT
>
> In debug mode I can see a "ref" to Country code :
>
> ralabel[2986.4039d4b7]: 22:27:55.723204 ArgusPrintCountryCode
> (0xb7d00008, 0xb7c9e538, 0xb7c9e264, 1, 3, 0xbfcb23b8) returning
> 00:00:01.584000 Ne tcp wy-in-f147.google*.http -
> > proxecoles...*.34912 8 6192 FIN
> ralabel[2986.4039d4b7]: 22:27:55.723261 RaProcessRecord (0xb7c9e538)
> returning
>
> Am I doing something wrong with these options of ralabel.conf file ?
>
> RALABEL_GEOIP_ASN=yes
> RALABEL_GEOIP_ASN_FILE="/usr/local/share/GeoIP/GeoIPASNum.dat"
>
>
> Is there is a way to select all argus records within a specific
> country ?
>
> thanks again for your help
>
> argus-client version = 3.0.2 beta 12
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090829/ca477cf7/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090829/ca477cf7/attachment.bin>
More information about the argus
mailing list