Possible bug on output of racluster

Carter Bullard carter at qosient.com
Thu Sep 22 19:32:05 EDT 2011


Hey Ricardo,
Sorry for the delayed response. What version of the clients are you using?

It is always good to inspect the data that is in the intermediate file, in order to
see where the breakdown is.  Are the contents in your ra-output.argus file
reasonable?

Be sure and include the 'proto' when you are interested in aggregating by ports,
as the port numbers are somewhat meaningless without the proto that specifies
them.   The newer clients, like argus-clients-3.0.5.19,  should do this automatically.

If you are still having a problem, consider sharing the files so I can figure out
what is going on.

Carter

On Sep 14, 2011, at 8:32 AM, Ricardo S wrote:

> Hello all,
> 
> I'm trying to cluster my flow information by source port. It seems
> that racluster is doing it fine. But when printing the results, it
> seems to lose information of source and destination IPs and ports. To
> better understand the problem, see example below.
> 
> Did anyone also experience the same problem? Solutions? (or maybe, my
> commands are right?)
> 
> Thanks,
> Ricardo.
> 
> 
> Example: I have a file with flows already generated with argus. I use
> the client "ra" to collect only flows from a specific IP address. Then
> I use the client "racluster" to get information per source port.
> However, the output I receive from "racluster" does not contain the IP
> addresses or ports and, consequently, is useless.
> 
> Command: ra
> # ra -r flows.argus -w ra-output.argus - 'ip and src host sss.sss.sss.sss'
> 
> Command: racluster
> # racluster -r ra-output.argus -m saddr sport -s saddr sport daddr dport sbytes
> 
> Output from racluster:
>           0.0.0.0                   0.0.0.0                 128
>           0.0.0.0                   0.0.0.0                 128
>           0.0.0.0                   0.0.0.0                 111
>           0.0.0.0                   0.0.0.0                 111
>           0.0.0.0                   0.0.0.0                 582
>           0.0.0.0                   0.0.0.0                3759
>           0.0.0.0                   0.0.0.0                  64
>           0.0.0.0                   0.0.0.0                 582
>           0.0.0.0                   0.0.0.0                3512
>           0.0.0.0                   0.0.0.0                4745
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4367 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20110922/22394323/attachment.bin>


More information about the argus mailing list