Time filters
Rafael Barbosa
rrbarbosa at gmail.com
Mon Jul 12 06:01:08 EDT 2010
Debug output:
ra -D5 -t 2009/01/22 -r file.argus
ra[8175.20cc2670ff7f0000]: 2010-07-12_11:43 ArgusParseTime (0x50c000,
0x50c100, 0x50c138,2009, ) retn 3: 1232492400
ra[8175.20cc2670ff7f0000]: 2010-07-12_11:43 ArgusCheckTimeFormat
(0x7026e960, 2009/01/22) retn 0: 1232492400-1232578800
ra[8175.20cc2670ff7f0000]: 2010-07-12_11:43 ArgusParseTimeArg (2009/01/22,
6, 0x7026e960)
ra[8175.20cc2670ff7f0000]: 2010-07-12_11:43 ArgusAddFileList (0x50c000,
file.argus, 1, -1, -1) returning 1
I don't really understand the output, but it looks like the output you
provided.
Now, regarding the traffic at this specific date, indeed there is no traffic
at the first hours of this date (2009/01/22). The following tests, give me
no output (no flows):
ra -t 2009/01/22 -r file.argus
ra -t 2009/01/22.** -r file.argus
ra -t 2009/01/22.00 -r file.argus
ra -t 2009/01/22.01 -r file.argus
But I start to get some data at (I used the -F option to include the date in
the output):
ra -F raTime.conf -t 2009/01/22.02 -r file.argus
2009-01-22_02:22 e tcp 10.16.4.21.4695 <?>
10.16.4.11.teleni 271 65774 CON
...
What I don't understand is why I get not data using the filters "2009/01/22"
and "2009/01/22.**", while there is traffic at day 22. These filters should
give me all flows of this date, regardless of the time of the day, right?
I used the following filter to get all flow date from this day: "-t
2009/01/22.00-2009/01/22.23", and it seems to work.
Best regards,
Rafael Barbosa
On Fri, Jul 9, 2010 at 4:22 PM, Carter Bullard <carter at qosient.com> wrote:
> Hey Rafael,
> You did find a bug in rabins.c, so this patch fixes the segmentation fault,
> and I'll have it in
> argus-clients-3.0.3.15 when it comes out on Monday.
>
> *** rabins.c Fri Jul 31 11:50:38 2009
> --- rabins.c.new Fri Jul 9 10:07:49 2010
> ***************
> *** 512,518 ****
> }
>
> for (i = RaBinProcess->index; i < (RaBinProcess->max + 1);
> i++) {
> ! if ((bin = RaBinProcess->array[i]) != NULL) {
> struct ArgusAggregatorStruct *agg = bin->agg;
> while (agg) {
> ArgusSortQueue(ArgusSorter, agg->queue);
> --- 512,518 ----
> }
>
> for (i = RaBinProcess->index; i < (RaBinProcess->max + 1);
> i++) {
> ! if ((RaBinProcess->array != NULL) && ((bin =
> RaBinProcess->array[i]) != NULL)) {
> struct ArgusAggregatorStruct *agg = bin->agg;
> while (agg) {
> ArgusSortQueue(ArgusSorter, agg->queue);
>
>
> When there are problems like this, it is helpful to run the ra* programs
> in debug mode, as the output can reveal the issue. To do that you need to
> create
> the .debug tag file in the root directory of the distribution, and then
> reconfigure and remake.
> You will know if it is working as the '-D' option will appear when you run
> "ra -h".
>
> So to test your filter, with the -D option enabled, running ra() at level
> 5, I get this type of output:
>
> ../bin/ra -D5 -t 2009/01/22
> ra[52629.205ce670ff7f0000]: 2010/07/09.09:57:46.070326 ArgusParseTime
> (0x541000, 0x541100, 0x541138,2009, ) retn 3: 1232514000
> ra[52629.205ce670ff7f0000]: 2010/07/09.09:57:46.070374 ArgusCheckTimeFormat
> (0x70e67960, 2009/01/22) retn 0: 1232514000-1232600400
> ra[52629.205ce670ff7f0000]: 2010/07/09.09:57:46.070385 ArgusParseTimeArg
> (2009/01/22, 4, 0x70e67960)
> ra[52629.205ce670ff7f0000]: 2010/07/09.09:57:46.070637 ArgusAddFileList
> (0x541000, -, 1, -1, -1) returning 1
>
> Which seems correct, so I'm not thinking that the time filter is bad. (I'm
> using argus-clients-3.0.2 here)
>
> When I run ra() from argus-client-3.0.2 using your filter for some of my
> data on your day in question:
> ra -t 2009/01/22 -r argus.2009.06.16.05.00.00
>
> I get all the records in the file printed to standard out, so I can't
> reproduce your filter problem here.
> It maybe that you don't have any records that fall on that day.
> Try running with the debug option as I did above, and lets see what your
> filter sez, and move the
> dates around to see if you can get any data at all.
>
> ra -t 2009/01/19+7d -r file.argus
>
> Carter
>
>
>
> On Jul 9, 2010, at 9:40 AM, Rafael Barbosa wrote:
>
> > Hello,
> >
> > I have been trying to use the ra option "-t" to filter my data for some
> specific periods, and so far I have no luck. My ultimate goal is to identify
> the start/end of some peaks in my graph, and then identify which peaks are
> causing it. Two of the tests I tried:
> >
> > 1)Plot the graphs with ragraph:
> > ragraph pkts -M 5min -p0 -t 2009/01/22 -r file.argus -title "Total Load"
> -w pkts-peak.png
> >
> > I get the following error:
> > sh: line 1: 33203 Segmentation fault
> /Users/barbosarr/workspace/argus-clients-3.0.2/bin/rabins -M hard zero -p6
> -GL0 -s ltime pkts -M 5min -p0 -t 2009/01/22 -r filet.argus >
> /var/tmp/tmp.0.jYku3e
> > usage: /Users/barbosarr/workspace/argus-clients-3.0.2/bin/ragraph metric
> (srcid | proto [daddr] | dport) [-title "title"] [ra-options]
> > /Users/barbosarr/workspace/argus-clients-3.0.2/bin/ragraph: unable to
> create `/var/tmp/tmp.0.jYku3e.rrd': start time: unparsable time:
> >
> > 2)I also tried the same filter to read and write the argus file with ra:
> > ra -t 2009/01/22 -r file.argus -w file.argus2
> >
> > No errors are reported, but no file.argus2 is create as well.
> >
> > My data spans over a week from some time in 2009/01/19 at some time in
> 2009/01/26, as verified with ra:
> > ra -u -r plant-net.argus | head
> > 1232372237.107636 e tcp X.X.X.X.ibp <?>
> X.X.X.X.boinc- 10 5240 CON
> > ...
> >
> > ra -u -r plant-net.argus | tail
> > 1232997697.830083 e s tcp X.X.X.X.worldf ->
> X.X.X.X.iso-ts 1 74 REQ
> > ...
> >
> > 1232372237 == Mon, 19 Jan 2009 13:37:17 GMT
> > 1232997697 == Mon, 26 Jan 2009 19:21:37 GMT
> >
> > Any ideas on what I might be doing wrong?
> >
> > Thanks,
> > Rafael Barbosa
> >
> >
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100712/a796f324/attachment.html>
More information about the argus
mailing list