question regarding argus-client.

Carter Bullard carter at qosient.com
Thu Jan 28 12:28:47 EST 2010 

Hey Pengiran,
You will have to send email to the argus mailing list for me to respond
to them.  And try to keep your questions to one at a time.  I'm forwarding
this to the list, so that it gets in the archive.

Please send pdf's rather than word files.  While I don't trust either of these
format's, if you need to send a diagram, pdf's are better for me.

If you have errors running a program, please send any error messages
along with the command line options, so I can figure out what the problem
may be.

For your situation where you want to populate a MySQL database table with
the primitive argus data from 4 remote argus sensors,  you will want 
to use radium() to collect the records from the 4 sensors, and a single
rasqlinsert() to read the combined stream of argus records and write them
to the database table you specify.  You will want to make sure that the "srcid"
field is in the list of print fields, so that rasqlinsert() will create a column with
the argus source id, so you can pick and choose the records you're interested
in.

radium() uses a /etc/radium.conf configuration file that you will create, using
the sample provided in ./support/Config/radium.conf.    Create 4
RADIUM_ARGUS_SERVER="" lines with the addresses of the
4 argus sources, and set  the RADIUM_ACCESS_PORT to a number
you like. I use 561, but for this example lets call it XXXX.

This will collect the data from the 4 sensors, and give you a single point
to access all the data.  Use ra() as a test, to attach to your radium() and
see the traffic that it is collecting.

   ra -S localhost:XXXX -s +1srcid

The fields that ra() prints, will be the fields that are used to define the database
schema.  You don't want a large number of fields, just the ones that will be useful
for you.  autoid, stime, srcid, saddr, daddr, proto, sport, dport, pkts, and bytes are
a good start, but you will want to modify that.  The binary record is inserted into the database
so, all the other information is stored, but its not "exposed" to MySQL.

You will run rasqlinsert() so that it attaches to radium().

   rasqlinsert -m none -S localhost:XXXX -s +0autoid +1srcid -M time 1d \
          -w mysql://user@localhost/argus/argusTable_%Y_%m_%d

This will write records into a daily table that has the date in its name.
Using mysql() check the schema that rasqlinsert() created, and add fields using
the "-s " option as needed.  Be sure and drop any tables from the data that may
be affected, if you change the schema.

Using the mysql() program, print out the current schema for the table that you
are writing into.

% mysql -u user 
mysql> use argus
mysql> describe argusTable_2010_01_28
+--------+-----------------------+------+-----+---------+-------+
| Field  | Type                  | Null | Key | Default | Extra |
+--------+-----------------------+------+-----+---------+-------+
| ltime  | double(18,6) unsigned | NO   |     | NULL    |       | 
| dur    | double(18,6)          | NO   |     | NULL    |       | 
| srcid  | varchar(64)           | NO   | PRI |         |       | 
| saddr  | varchar(64)           | NO   | PRI | NULL    |       | 
| daddr  | varchar(64)           | NO   | PRI | NULL    |       | 
| bytes  | bigint(20)            | YES  |     | NULL    |       | 
| record | blob                  | YES  |     | NULL    |       | 
+--------+-----------------------+------+-----+---------+-------+
7 rows in set (0.03 sec)

The "record" field holds the argus record.



Carter

On Jan 28, 2010, at 11:50 AM, pengiran Awang wrote:

> Hai Carter,
> 
> Thank you for helping me. i manage to write the data into the MySQL database, but unfortunately i face new challenge when i trying to dealing with multiple sensor.
> 
> with this email i attach some basic overview on what i trying to archive for my project.
> 
> Need your advice and guidance.
> 
> Regards,
> Peng    
> 
> On Sat, Jan 23, 2010 at 4:31 AM, Carter Bullard <carter at qosient.com> wrote:
> Hey Peng,
> I forgot to mention that you should read the database page on the argus web site.
> 
>    http://qosient.com/argus/database.htm
> 
> It may answer some of your questions.
> 
> Carter
> 
> On Jan 22, 2010, at 12:18 AM, pengiran Awang wrote:
> 
>> Hai Carter,
>> 
>> i a student in local university in malaysia and i just start using argus.
>> 
>> want to ask for your help and suggestion.
>> 
>> currently im building 4 argus sensor and 1 database server (MySQL).
>> 
>> i read the mailing list 
>> http://thread.gmane.org/gmane.network.argus/6953/focus=6964
>> and i manage to insert the data using rasqlinsert() using this command.
>> 
>> argus -r <tcpdump.out> -w - | rasqlinsert -r - -w mysql://user <at> host/db/argusTable
>> 
>> will this command insert directly the new traffic recorded in the tcpdump file to the same tabel (argusTable).
>> 
>> 
>> i'm try to create only one table that will record all the traffic from the 4 sensor...is there is any possiblility to insert the data from multiple sensor to the same table (argusTable) without to creating new table in the database?
>> 
>> can the "record" field be use to tell that this record come from what sensor?
>> 
>> Sorry for asking you such a basic question. i try to go through the mailing list for 4 days now and i just get lost in it =(.
>> 
>> Regards,
>> peng
>> 
>> 
> 
> 
> <Question_To_Carter.doc>

Carter Bullard
CEO/President
QoSient, LLC
150 E 57th Street Suite 12D
New York, New York  10022

+1 212 588-9133 Phone
+1 212 588-9134 Fax



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100128/34a461cb/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100128/34a461cb/attachment.bin>

More information about the argus mailing list