-s option problems, how to extract new features

Berkay Celik argusflow at gmail.com
Mon Oct 4 12:43:10 EDT 2010 

  Hey,

After 2 week practice with argus (argus-clients-3.0.2), i'm facing some 
problems.
let me start:
1st Using 
http://bro-ids.org/enterprise-traces/hdr-traces05/lbl-internal.20041004-1303.port001.dump.anon
pcap file i'm trying to get some of -s features,

after converting arg file with the command :
argus -r lbl-internal.20041004-1303.port001.dump.anon -w output.arg

Simply ra -nr output.arg -s stime - ip | less : gives all black page. 
(exported to csv file again blank file, tried with other features such 
as saddr only gives these

without stime)
when i try the to see the default ra features :
everthing works fine (ra -nr output.arg -s stime - ip | less)

before posting i thought that what if my pcap file has problems, so i 
tried it with another pcap file however problem remains.


2nd when i read the man pages i see that there are alot of features i 
can extract:
spktsz: histogram for the src packet size distribution
smaxsz,dminsz etc. seems nice so i start trying...

Convert to arg file:
argus -r lbl-internal.20041004-1303.port001.dump.anon -w output.arg

simply i just wrote:

ra -L0 -nnr output.arg -s stime ltime dir saddr sport daddr dport proto 
dir spktsz smaxsz dpktsz dmaxs - ip

But the result is giving with these features as default
SrcAddr Sport DstAddr Dport Type Dir SrcPkt   DstPkt

okey there is a problem with stime, omit it and try it again see what 
happens:
again same results,

Maybe i remembered from Lee's blog i have to use -  -mAJZRU option, he 
says to get as much data as possible.

again i got error using -mAJZRU 512, probably version differences and 
some options i don't need.
so reducing the options by reading the help page.

argus -J -r lbl-internal.20041004-1303.port001.dump.anon -w majzru.arg

and tried all command same results.

3rd i need to get some other stats from the flows i defined in a 
timeslice, let says from destination to source median of the packets or 
variance of total bytes in packets etc. some unique features i'm looking 
for.

how can i add these to the -s option.

thanks

i really appreciate your help,

Berkay

More information about the argus mailing list