Possible bug on output of racluster

Ricardo S super.ismiti at gmail.com
Wed Oct 12 04:18:16 EDT 2011


Hi Carter,

Thanks for your reply. I'm sorry my late response, but I was in
vacation and also I needed to focus my work on another direction, and
forgot about the Argus.

I'm going to run the same command but including the protocol as you
suggested. If the result is still somehow strange, I report back to
you.

Thanks and regards,
Ricardo.


On Fri, Sep 23, 2011 at 1:32 AM, Carter Bullard <carter at qosient.com> wrote:
> Hey Ricardo,
> Sorry for the delayed response. What version of the clients are you using?
>
> It is always good to inspect the data that is in the intermediate file, in order to
> see where the breakdown is.  Are the contents in your ra-output.argus file
> reasonable?
>
> Be sure and include the 'proto' when you are interested in aggregating by ports,
> as the port numbers are somewhat meaningless without the proto that specifies
> them.   The newer clients, like argus-clients-3.0.5.19,  should do this automatically.
>
> If you are still having a problem, consider sharing the files so I can figure out
> what is going on.
>
> Carter
>
> On Sep 14, 2011, at 8:32 AM, Ricardo S wrote:
>
>> Hello all,
>>
>> I'm trying to cluster my flow information by source port. It seems
>> that racluster is doing it fine. But when printing the results, it
>> seems to lose information of source and destination IPs and ports. To
>> better understand the problem, see example below.
>>
>> Did anyone also experience the same problem? Solutions? (or maybe, my
>> commands are right?)
>>
>> Thanks,
>> Ricardo.
>>
>>
>> Example: I have a file with flows already generated with argus. I use
>> the client "ra" to collect only flows from a specific IP address. Then
>> I use the client "racluster" to get information per source port.
>> However, the output I receive from "racluster" does not contain the IP
>> addresses or ports and, consequently, is useless.
>>
>> Command: ra
>> # ra -r flows.argus -w ra-output.argus - 'ip and src host sss.sss.sss.sss'
>>
>> Command: racluster
>> # racluster -r ra-output.argus -m saddr sport -s saddr sport daddr dport sbytes
>>
>> Output from racluster:
>>           0.0.0.0                   0.0.0.0                 128
>>           0.0.0.0                   0.0.0.0                 128
>>           0.0.0.0                   0.0.0.0                 111
>>           0.0.0.0                   0.0.0.0                 111
>>           0.0.0.0                   0.0.0.0                 582
>>           0.0.0.0                   0.0.0.0                3759
>>           0.0.0.0                   0.0.0.0                  64
>>           0.0.0.0                   0.0.0.0                 582
>>           0.0.0.0                   0.0.0.0                3512
>>           0.0.0.0                   0.0.0.0                4745
>>
>
>



More information about the argus mailing list