-s option problems, how to extract new features
carter at qosient.com
carter at qosient.com
Thu Oct 7 17:51:12 EDT 2010
Hey Berkay,
So one problem at a time. Anonymized files can be problematic. Does tcpdump() read this file?
You should have an /etc/argus.conf formatted file to turn some things on. And to print well, you should have a .rarc file in your home directory, or available. While these configuration files are not required, they do make it easier to figure out what is wrong.
stime is controlled by the RA_TIME_FORMAT variable, and the system locale functions. These could be a problem.
Let's get your stime working and then we'll figure out the rest?
Carter
Sent from my Verizon Wireless BlackBerry
-----Original Message-----
From: Berkay Celik <argusflow at gmail.com>
Sender: argus-info-bounces+carter=qosient.com at lists.andrew.cmu.edu
Date: Mon, 04 Oct 2010 12:43:10
To: <argus-info at lists.andrew.cmu.edu>
Subject: [ARGUS] -s option problems, how to extract new features
Hey,
After 2 week practice with argus (argus-clients-3.0.2), i'm facing some
problems.
let me start:
1st Using
http://bro-ids.org/enterprise-traces/hdr-traces05/lbl-internal.20041004-1303.port001.dump.anon
pcap file i'm trying to get some of -s features,
after converting arg file with the command :
argus -r lbl-internal.20041004-1303.port001.dump.anon -w output.arg
Simply ra -nr output.arg -s stime - ip | less : gives all black page.
(exported to csv file again blank file, tried with other features such
as saddr only gives these
without stime)
when i try the to see the default ra features :
everthing works fine (ra -nr output.arg -s stime - ip | less)
before posting i thought that what if my pcap file has problems, so i
tried it with another pcap file however problem remains.
2nd when i read the man pages i see that there are alot of features i
can extract:
spktsz: histogram for the src packet size distribution
smaxsz,dminsz etc. seems nice so i start trying...
Convert to arg file:
argus -r lbl-internal.20041004-1303.port001.dump.anon -w output.arg
simply i just wrote:
ra -L0 -nnr output.arg -s stime ltime dir saddr sport daddr dport proto
dir spktsz smaxsz dpktsz dmaxs - ip
But the result is giving with these features as default
SrcAddr Sport DstAddr Dport Type Dir SrcPkt DstPkt
okey there is a problem with stime, omit it and try it again see what
happens:
again same results,
Maybe i remembered from Lee's blog i have to use - -mAJZRU option, he
says to get as much data as possible.
again i got error using -mAJZRU 512, probably version differences and
some options i don't need.
so reducing the options by reading the help page.
argus -J -r lbl-internal.20041004-1303.port001.dump.anon -w majzru.arg
and tried all command same results.
3rd i need to get some other stats from the flows i defined in a
timeslice, let says from destination to source median of the packets or
variance of total bytes in packets etc. some unique features i'm looking
for.
how can i add these to the -s option.
thanks
i really appreciate your help,
Berkay
More information about the argus
mailing list