Collecting multiple types of information at once

Jesse Bowling jessebowling at gmail.com
Tue Aug 28 17:12:39 EDT 2012 

I've used 'tee'  and fifo's to do similar things in the past (there is one
example in NSMwiki), and this might fit since it seems like you only want
to work with files and not live streams...

mkfifo FIFO1
mkfifo FIFO2
racluster -r FIFO1 -m saddr daddr dport proto - ip and net 10.10.10.0/24 &
racluster -r FIFO2 -m proto dport - ip and net 192.168.0.0/16 &
ra -R /my/dir/with/files/ -w - - | tee FIFO1 > FIFO2

Essentially you attach the process you want to fifo's (and background them)
and they will wait for input to start running the specified command. You
can do this an (almost) arbitrary number of times for the number of
commands you want to run...You then use ra to read all your files and dump
their binary output into 'tee' which will both write one copy to the file
specified as well as keep one copy on standard output...Thus if you want to
have three processes doing something with the one set of data, you could
use:

ra -R /my/dir/with/files/ -w - - | tee FIFO1 | tee FIFO2 | tee FIFO3 > FIFO4

etc...The last redirect of standard output goes into your last fifo, or you
if you needed that info you could pipe it into anything else you like...

Not sure if that fits your needs (is this a one time thing? How big is the
data you need to process, etc) but it might do in a one-off/occasional
sense.

Perhaps a more detailed explanation of the problem or desired outcome might
lead to more elegant solutions...and of course, this assumes you're running
on *NIX of some sort... :)

HTH,

Jesse (the 'tee' one trick pony)


On Tue, Aug 28, 2012 at 3:56 PM, John Gerth <gerth at graphics.stanford.edu>wrote:

> >From the radium man page:
>   "Radium,  like  all ra based clients, supports a number of ra options
> including remote data access, reading from
>        multiple files and filtering of input argus records through a
> terminating filter  expression."
>
> I just tried to use "radium -r ...." on a days worth of hourly files here
> and  while one can
> connect multiple clients to it, I can certainly believe that the behavior
> might not enable what you want.
>
> In any event, I obviously did misunderstand your scenario and for that I
> apologize.
>
> /John
>
> John Gerth      gerth at graphics.stanford.edu  Gates 378   (650) 725-3273fax 725-6949
>
> On 8/28/2012 11:32 AM, Martijn van Oosterhout wrote:
> > On 28 August 2012 19:46, John Gerth <gerth at graphics.stanford.edu> wrote:
> >> I believe what you want to use is "radium", an argus tool designed to
> take
> >> a flow stream from the argus daemon and then deliver it simultaneously
> to
> >> multiple clients.  Each of those clients can have its own filtering
> specification
> >> so that they receive only the flows of interest. See, 'man radium'
> >
> > But I'm not talking about live collection, I'm talking about getting
> > this information from flows already on disk. Radium doesn't appear to
> > read from disk at all.
> >
>



-- 
Jesse Bowling
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120828/7de4824d/attachment.html>

More information about the argus mailing list