problem with ralabel and country code

Carter Bullard carter at qosient.com
Sat Aug 29 22:52:01 EDT 2009


Test to see that country codes are being written into the records.
run ralabel() and write the output to a file.
comment out the "RA_DELEGATED_IP" variable in your .rarc file,
and then print the sco and dco fields from the ralabel() created file.
That will tell us if the problem is in ralable() or racluster().

Carter

On Aug 29, 2009, at 5:07 PM, jean-marc pouchoulon wrote:

> hey Carter,
>
> I'm using -f option:
>
> ralabel -nnn  -f /usr/local/argus/ralabel.conf -r /var/argus/ 
> 2009/08/28/argus_00\:00\:00 -w - |racluster -m sco
>       StartTime    Flgs  Proto sCo            SrcAddr  Sport   Dir  
> dCo            DstAddr  Dport  TotPkts   TotBytes State
> 00:00:00.000000 Ne          ip  ZZ            0.0.0.0           ->   
> ZZ            0.0.0.0         2574989 1070763217   INT
>
> jean-marc
>
> 2009/8/29 Carter Bullard <carter at qosient.com>
> Hey Jean-Marc,
> So you need to use the "-f /path/to/your/ralabel.conf".  Without  
> this,  ralabel() doesn't
> know to add a country code?
> Carter
>
> On Aug 29, 2009, at 4:45 PM, jean-marc pouchoulon wrote:
>
>> Helo ,
>>
>> I try these commands from http://osdir.com/ml/network.argus/2007-10/msg00002.html 
>> .
>>
>>   ralabel -nnnR datadir -w - | racluster -m sco -w - | rasort -m  
>> bytes -s stime dur sco trans pkts bytes state
>>
>> but country code not seems  to be  append to the records and I get   
>> this one line  result
>>
>>       StartTime    Flgs  Proto sCo            SrcAddr  Sport   Dir  
>> dCo            DstAddr  Dport  TotPkts   TotBytes State
>> 00:00:00.000000 Ne          ip  ZZ            0.0.0.0           ->   
>> ZZ            0.0.0.0         2574989 1070763217   INT
>>
>> In debug mode I can see a "ref" to Country code :
>>
>> ralabel[2986.4039d4b7]: 22:27:55.723204 ArgusPrintCountryCode  
>> (0xb7d00008, 0xb7c9e538, 0xb7c9e264, 1, 3, 0xbfcb23b8) returning
>> 00:00:01.584000 Ne         tcp     wy-in-f147.google*.http      - 
>> >     proxecoles...*.34912         8       6192   FIN
>> ralabel[2986.4039d4b7]: 22:27:55.723261 RaProcessRecord  
>> (0xb7c9e538) returning
>>
>> Am I doing something wrong with these options of ralabel.conf file ?
>>
>> RALABEL_GEOIP_ASN=yes
>> RALABEL_GEOIP_ASN_FILE="/usr/local/share/GeoIP/GeoIPASNum.dat"
>>
>>
>> Is there is a way to select all argus records within a  specific  
>> country ?
>>
>> thanks again for your help
>>
>> argus-client version = 3.0.2 beta 12
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090829/1dfd981e/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090829/1dfd981e/attachment.bin>


More information about the argus mailing list