problem with ralabel and country code
Carter Bullard
carter at qosient.com
Sat Aug 29 22:52:01 EDT 2009
Test to see that country codes are being written into the records.
run ralabel() and write the output to a file.
comment out the "RA_DELEGATED_IP" variable in your .rarc file,
and then print the sco and dco fields from the ralabel() created file.
That will tell us if the problem is in ralable() or racluster().
Carter
On Aug 29, 2009, at 5:07 PM, jean-marc pouchoulon wrote:
> hey Carter,
>
> I'm using -f option:
>
> ralabel -nnn -f /usr/local/argus/ralabel.conf -r /var/argus/
> 2009/08/28/argus_00\:00\:00 -w - |racluster -m sco
> StartTime Flgs Proto sCo SrcAddr Sport Dir
> dCo DstAddr Dport TotPkts TotBytes State
> 00:00:00.000000 Ne ip ZZ 0.0.0.0 ->
> ZZ 0.0.0.0 2574989 1070763217 INT
>
> jean-marc
>
> 2009/8/29 Carter Bullard <carter at qosient.com>
> Hey Jean-Marc,
> So you need to use the "-f /path/to/your/ralabel.conf". Without
> this, ralabel() doesn't
> know to add a country code?
> Carter
>
> On Aug 29, 2009, at 4:45 PM, jean-marc pouchoulon wrote:
>
>> Helo ,
>>
>> I try these commands from http://osdir.com/ml/network.argus/2007-10/msg00002.html
>> .
>>
>> ralabel -nnnR datadir -w - | racluster -m sco -w - | rasort -m
>> bytes -s stime dur sco trans pkts bytes state
>>
>> but country code not seems to be append to the records and I get
>> this one line result
>>
>> StartTime Flgs Proto sCo SrcAddr Sport Dir
>> dCo DstAddr Dport TotPkts TotBytes State
>> 00:00:00.000000 Ne ip ZZ 0.0.0.0 ->
>> ZZ 0.0.0.0 2574989 1070763217 INT
>>
>> In debug mode I can see a "ref" to Country code :
>>
>> ralabel[2986.4039d4b7]: 22:27:55.723204 ArgusPrintCountryCode
>> (0xb7d00008, 0xb7c9e538, 0xb7c9e264, 1, 3, 0xbfcb23b8) returning
>> 00:00:01.584000 Ne tcp wy-in-f147.google*.http -
>> > proxecoles...*.34912 8 6192 FIN
>> ralabel[2986.4039d4b7]: 22:27:55.723261 RaProcessRecord
>> (0xb7c9e538) returning
>>
>> Am I doing something wrong with these options of ralabel.conf file ?
>>
>> RALABEL_GEOIP_ASN=yes
>> RALABEL_GEOIP_ASN_FILE="/usr/local/share/GeoIP/GeoIPASNum.dat"
>>
>>
>> Is there is a way to select all argus records within a specific
>> country ?
>>
>> thanks again for your help
>>
>> argus-client version = 3.0.2 beta 12
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090829/1dfd981e/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090829/1dfd981e/attachment.bin>
More information about the argus
mailing list