filtering on pkts == filtering on dst pkts ?
George Jones
fooologist at gmail.com
Tue Oct 5 09:38:19 EDT 2010
This does not look right. Looks like "racluster ... -w - | ra -r - - pkts
gt N" is filtering on "dst pkts gt N". I expected it to
filter on total pkts gt N.
Bug in the code or my understanding ?
Thanks,
---George
george at antique:~/data/pcap$ ra -r anony.ra -w - | ra -r - -s +spkts,dpkts -
port 53620
StartTime Flgs Proto SrcAddr Sport Dir
DstAddr Dport TotPkts TotBytes State SrcPkts DstPkts
08:34:39.956574 e tcp 100.0.1.7.53620 ->
100.0.3.1.www 62 39399 CON 29 33
08:34:45.818360 e tcp 100.0.1.7.53620 ->
100.0.3.1.www 8 2174 CON 4 4
08:36:49.895042 e tcp 100.0.1.7.53620 <?>
100.0.3.1.www 4 264 FIN 2 2
george at antique:~/data/pcap$
george at antique:~/data/pcap$ # clustered
george at antique:~/data/pcap$ racluster -r anony.ra -w - | ra -r - -s
+spkts,dpkts - port 53620
StartTime Flgs Proto SrcAddr Sport Dir
DstAddr Dport TotPkts TotBytes State SrcPkts DstPkts
08:34:39.956574 e tcp 100.0.1.7.53620 ->
100.0.3.1.www 74 41837 FIN 35 39
george at antique:~/data/pcap$
george at antique:~/data/pcap$ # pkts gt dstpkts - 1
george at antique:~/data/pcap$ racluster -r anony.ra -w - | ra -r - -s
+spkts,dpkts - port 53620 and pkts gt 38
StartTime Flgs Proto SrcAddr Sport Dir
DstAddr Dport TotPkts TotBytes State SrcPkts DstPkts
08:34:39.956574 e tcp 100.0.1.7.53620 ->
100.0.3.1.www 74 41837 FIN 35 39
george at antique:~/data/pcap$
george at antique:~/data/pcap$ #pkts gt dst pkts
george at antique:~/data/pcap$ racluster -r anony.ra -w - | ra -r - -s
+spkts,dpkts - port 53620 and pkts gt 39
george at antique:~/data/pcap$
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20101005/821871b5/attachment.html>
More information about the argus
mailing list