-s option problems, how to extract new features

carter at qosient.com carter at qosient.com
Thu Oct 7 17:51:12 EDT 2010


Hey Berkay,
So one problem at a time.  Anonymized files can be problematic.  Does tcpdump() read this file?

You should have an /etc/argus.conf formatted file to turn some things on.  And to print well, you should have a .rarc file in your home directory, or available.  While these configuration files are not required, they do make it easier to figure out what is wrong.

stime is controlled by the RA_TIME_FORMAT variable, and the system locale functions.  These could be a problem.

Let's get your stime working and then we'll figure out the rest?

Carter 

Sent from my Verizon Wireless BlackBerry

-----Original Message-----
From: Berkay Celik <argusflow at gmail.com>
Sender: argus-info-bounces+carter=qosient.com at lists.andrew.cmu.edu
Date: Mon, 04 Oct 2010 12:43:10 
To: <argus-info at lists.andrew.cmu.edu>
Subject: [ARGUS] -s option problems, how to extract new features

  Hey,

After 2 week practice with argus (argus-clients-3.0.2), i'm facing some 
problems.
let me start:
1st Using 
http://bro-ids.org/enterprise-traces/hdr-traces05/lbl-internal.20041004-1303.port001.dump.anon
pcap file i'm trying to get some of -s features,

after converting arg file with the command :
argus -r lbl-internal.20041004-1303.port001.dump.anon -w output.arg

Simply ra -nr output.arg -s stime - ip | less : gives all black page. 
(exported to csv file again blank file, tried with other features such 
as saddr only gives these

without stime)
when i try the to see the default ra features :
everthing works fine (ra -nr output.arg -s stime - ip | less)

before posting i thought that what if my pcap file has problems, so i 
tried it with another pcap file however problem remains.


2nd when i read the man pages i see that there are alot of features i 
can extract:
spktsz: histogram for the src packet size distribution
smaxsz,dminsz etc. seems nice so i start trying...

Convert to arg file:
argus -r lbl-internal.20041004-1303.port001.dump.anon -w output.arg

simply i just wrote:

ra -L0 -nnr output.arg -s stime ltime dir saddr sport daddr dport proto 
dir spktsz smaxsz dpktsz dmaxs - ip

But the result is giving with these features as default
SrcAddr Sport DstAddr Dport Type Dir SrcPkt   DstPkt

okey there is a problem with stime, omit it and try it again see what 
happens:
again same results,

Maybe i remembered from Lee's blog i have to use -  -mAJZRU option, he 
says to get as much data as possible.

again i got error using -mAJZRU 512, probably version differences and 
some options i don't need.
so reducing the options by reading the help page.

argus -J -r lbl-internal.20041004-1303.port001.dump.anon -w majzru.arg

and tried all command same results.

3rd i need to get some other stats from the flows i defined in a 
timeslice, let says from destination to source median of the packets or 
variance of total bytes in packets etc. some unique features i'm looking 
for.

how can i add these to the -s option.

thanks

i really appreciate your help,

Berkay




More information about the argus mailing list