Possible bug on output of racluster
Ricardo S
super.ismiti at gmail.com
Wed Sep 14 08:32:51 EDT 2011
Hello all,
I'm trying to cluster my flow information by source port. It seems
that racluster is doing it fine. But when printing the results, it
seems to lose information of source and destination IPs and ports. To
better understand the problem, see example below.
Did anyone also experience the same problem? Solutions? (or maybe, my
commands are right?)
Thanks,
Ricardo.
Example: I have a file with flows already generated with argus. I use
the client "ra" to collect only flows from a specific IP address. Then
I use the client "racluster" to get information per source port.
However, the output I receive from "racluster" does not contain the IP
addresses or ports and, consequently, is useless.
Command: ra
# ra -r flows.argus -w ra-output.argus - 'ip and src host sss.sss.sss.sss'
Command: racluster
# racluster -r ra-output.argus -m saddr sport -s saddr sport daddr dport sbytes
Output from racluster:
0.0.0.0 0.0.0.0 128
0.0.0.0 0.0.0.0 128
0.0.0.0 0.0.0.0 111
0.0.0.0 0.0.0.0 111
0.0.0.0 0.0.0.0 582
0.0.0.0 0.0.0.0 3759
0.0.0.0 0.0.0.0 64
0.0.0.0 0.0.0.0 582
0.0.0.0 0.0.0.0 3512
0.0.0.0 0.0.0.0 4745
More information about the argus
mailing list