-s option problems, how to extract new features

Carter Bullard carter at qosient.com
Tue Nov 2 19:31:15 EDT 2010 

Hey Berkay,
Because you were asking about the spktsz and dpktsz histogram metrics, and I'm close to releasing
argus-3.0.4, here is the update.  I've have validated that the sminsz, smaxsz, dminsz and dmaxsz
metrics (max and min packet size seen) works in argus-3.0.3.19 and argus-clients-3.0.3.19.
I will add smeansz, and dmeansz, which will be implemented as (sbytes/spkts and dbytes/dpkts),
as official fields for the argus-3.0.4 release, so you can print, sort, rahisto() support, etc......

I will put in the observed packet size histogram support in argus-3.0.5 as soon as we have released
argus-3.0.4, which hopefully is only days away.

Hopefully this will be useful,

Carter

On Oct 7, 2010, at 9:30 PM, Berkay Celik wrote:

> Thanks for the answer, Carter..
> You are right with the problem, it is with the anonymized files, now i'm done.
> 
> To get stats from the flows, we need some more options to be activated, just waiting for the spktsz and dpktsz -s options,
> 
> it will be great to analyze the flows because the by getting these histograms, we can get median, standard deviation etc.
> we don't want to switch another tool, so is that possible to give an exact date for these options to be activated ?
> our analysis stopped here,  we request to be as soon as possible to continue our analysis.
> 
> i hope to hear some good news,
> 
> thanks for your support,Carter.
> 
> Berkey Cellik
> 
> On 10/7/2010 5:51 PM, carter at qosient.com wrote:
>> Hey Berkay,
>> So one problem at a time.  Anonymized files can be problematic.  Does tcpdump() read this file?
>> 
>> You should have an /etc/argus.conf formatted file to turn some things on.  And to print well, you should have a .rarc file in your home directory, or available.  While these configuration files are not required, they do make it easier to figure out what is wrong.
>> 
>> stime is controlled by the RA_TIME_FORMAT variable, and the system locale functions.  These could be a problem.
>> 
>> Let's get your stime working and then we'll figure out the rest?
>> 
>> Carter
>> 
>> Sent from my Verizon Wireless BlackBerry
>> 
>> -----Original Message-----
>> From: Berkay Celik<argusflow at gmail.com>
>> Sender: argus-info-bounces+carter=qosient.com at lists.andrew.cmu.edu
>> Date: Mon, 04 Oct 2010 12:43:10
>> To:<argus-info at lists.andrew.cmu.edu>
>> Subject: [ARGUS] -s option problems, how to extract new features
>> 
>>   Hey,
>> 
>> After 2 week practice with argus (argus-clients-3.0.2), i'm facing some
>> problems.
>> let me start:
>> 1st Using
>> http://bro-ids.org/enterprise-traces/hdr-traces05/lbl-internal.20041004-1303.port001.dump.anon
>> pcap file i'm trying to get some of -s features,
>> 
>> after converting arg file with the command :
>> argus -r lbl-internal.20041004-1303.port001.dump.anon -w output.arg
>> 
>> Simply ra -nr output.arg -s stime - ip | less : gives all black page.
>> (exported to csv file again blank file, tried with other features such
>> as saddr only gives these
>> 
>> without stime)
>> when i try the to see the default ra features :
>> everthing works fine (ra -nr output.arg -s stime - ip | less)
>> 
>> before posting i thought that what if my pcap file has problems, so i
>> tried it with another pcap file however problem remains.
>> 
>> 
>> 2nd when i read the man pages i see that there are alot of features i
>> can extract:
>> spktsz: histogram for the src packet size distribution
>> smaxsz,dminsz etc. seems nice so i start trying...
>> 
>> Convert to arg file:
>> argus -r lbl-internal.20041004-1303.port001.dump.anon -w output.arg
>> 
>> simply i just wrote:
>> 
>> ra -L0 -nnr output.arg -s stime ltime dir saddr sport daddr dport proto
>> dir spktsz smaxsz dpktsz dmaxs - ip
>> 
>> But the result is giving with these features as default
>> SrcAddr Sport DstAddr Dport Type Dir SrcPkt   DstPkt
>> 
>> okey there is a problem with stime, omit it and try it again see what
>> happens:
>> again same results,
>> 
>> Maybe i remembered from Lee's blog i have to use -  -mAJZRU option, he
>> says to get as much data as possible.
>> 
>> again i got error using -mAJZRU 512, probably version differences and
>> some options i don't need.
>> so reducing the options by reading the help page.
>> 
>> argus -J -r lbl-internal.20041004-1303.port001.dump.anon -w majzru.arg
>> 
>> and tried all command same results.
>> 
>> 3rd i need to get some other stats from the flows i defined in a
>> timeslice, let says from destination to source median of the packets or
>> variance of total bytes in packets etc. some unique features i'm looking
>> for.
>> 
>> how can i add these to the -s option.
>> 
>> thanks
>> 
>> i really appreciate your help,
>> 
>> Berkay
>> 
>> 
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20101102/26cd7e7d/attachment.bin>

More information about the argus mailing list