Possible bug on output of racluster

Ricardo S super.ismiti at gmail.com
Wed Oct 12 04:50:44 EDT 2011 

Hello again Carter,

It seems to work now. I added the "proto" to all filters that I was
using, and now I get the port numbers as expected.

Thanks once again.

Regards,
Ricardo.


On Wed, Oct 12, 2011 at 10:18 AM, Ricardo S <super.ismiti at gmail.com> wrote:
> Hi Carter,
>
> Thanks for your reply. I'm sorry my late response, but I was in
> vacation and also I needed to focus my work on another direction, and
> forgot about the Argus.
>
> I'm going to run the same command but including the protocol as you
> suggested. If the result is still somehow strange, I report back to
> you.
>
> Thanks and regards,
> Ricardo.
>
>
> On Fri, Sep 23, 2011 at 1:32 AM, Carter Bullard <carter at qosient.com> wrote:
>> Hey Ricardo,
>> Sorry for the delayed response. What version of the clients are you using?
>>
>> It is always good to inspect the data that is in the intermediate file, in order to
>> see where the breakdown is.  Are the contents in your ra-output.argus file
>> reasonable?
>>
>> Be sure and include the 'proto' when you are interested in aggregating by ports,
>> as the port numbers are somewhat meaningless without the proto that specifies
>> them.   The newer clients, like argus-clients-3.0.5.19,  should do this automatically.
>>
>> If you are still having a problem, consider sharing the files so I can figure out
>> what is going on.
>>
>> Carter
>>
>> On Sep 14, 2011, at 8:32 AM, Ricardo S wrote:
>>
>>> Hello all,
>>>
>>> I'm trying to cluster my flow information by source port. It seems
>>> that racluster is doing it fine. But when printing the results, it
>>> seems to lose information of source and destination IPs and ports. To
>>> better understand the problem, see example below.
>>>
>>> Did anyone also experience the same problem? Solutions? (or maybe, my
>>> commands are right?)
>>>
>>> Thanks,
>>> Ricardo.
>>>
>>>
>>> Example: I have a file with flows already generated with argus. I use
>>> the client "ra" to collect only flows from a specific IP address. Then
>>> I use the client "racluster" to get information per source port.
>>> However, the output I receive from "racluster" does not contain the IP
>>> addresses or ports and, consequently, is useless.
>>>
>>> Command: ra
>>> # ra -r flows.argus -w ra-output.argus - 'ip and src host sss.sss.sss.sss'
>>>
>>> Command: racluster
>>> # racluster -r ra-output.argus -m saddr sport -s saddr sport daddr dport sbytes
>>>
>>> Output from racluster:
>>>           0.0.0.0                   0.0.0.0                 128
>>>           0.0.0.0                   0.0.0.0                 128
>>>           0.0.0.0                   0.0.0.0                 111
>>>           0.0.0.0                   0.0.0.0                 111
>>>           0.0.0.0                   0.0.0.0                 582
>>>           0.0.0.0                   0.0.0.0                3759
>>>           0.0.0.0                   0.0.0.0                  64
>>>           0.0.0.0                   0.0.0.0                 582
>>>           0.0.0.0                   0.0.0.0                3512
>>>           0.0.0.0                   0.0.0.0                4745
>>>
>>
>>
>

More information about the argus mailing list