raconvert problem

CS Lee geek00l at gmail.com
Thu Jan 12 04:03:00 EST 2012 

hi Carter,

Today I try to check out what i can do with raconvert, however it doesn't
seem to work and hogging the resources as well without giving result -

ra -c , -r anubis.arg3 > anubis.csv
raconvert -r anubis.csv -w anubis-convert.arg3

What I get from the top comand -

 PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
 6138 cslee     20   0 20052 2116  672 R   98  0.1   0:56.72 raconvert

I'm using latest argus from the dev repo and this is on Ubuntu 11.10. I
tried to run strace and here's what I get -

.....
open("/etc/localtime", O_RDONLY)        = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=2819, ...}) = 0
fstat(3, {st_mode=S_IFREG|0644, st_size=2819, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7f6a018f2000
read(3, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0\0"...,
4096) = 2819
lseek(3, -1802, SEEK_CUR)               = 1017
read(3, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0\0"...,
4096) = 1802
close(3)                                = 0
munmap(0x7f6a018f2000, 4096)            = 0
stat("/etc/ra.conf", 0x7fff5907fe40)    = -1 ENOENT (No such file or
directory)
stat("/home/cslee/.rarc", {st_mode=S_IFREG|0644, st_size=13474, ...}) = 0
open("/home/cslee/.rarc", O_RDONLY)     = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=13474, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7f6a018f2000
read(3, "# \n#  Argus Software\n#  Copyrigh"..., 4096) = 4096
read(3, "l ra* clients can support runnin"..., 4096) = 4096
read(3, "# data that is provided by Argus"..., 4096) = 4096
read(3, "terminate but retry connection a"..., 4096) = 1186
read(3, "", 4096)                       = 0
close(3)                                = 0
munmap(0x7f6a018f2000, 4096)            = 0
mmap(NULL, 401408, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
= 0x7f6a01742000
stat("anubis-convert.arg3", {st_mode=S_IFREG|0777, st_size=0, ...}) = 0
getcwd("/home/cslee/pcap-repo", 4096)   = 22
lstat("/home/cslee/pcap-repo/anubis-convert.arg3", {st_mode=S_IFREG|0777,
st_size=0, ...}) = 0
open("anubis.csv", O_RDONLY)            = 3
fstat(3, {st_mode=S_IFREG|0664, st_size=507, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7f6a01741000
read(3, "09:17:19.179698, e        ,udp,1"..., 4096) = 507

Here's where it hangs and do nothing.

To better using raconvert, I was thinking maybe we can make use of ra -L0
to print out the field description at top of the line, for example

ra -L0 -c, -s stime ltime proto saddr sport dir daddr dport state spkts
dpkts sbytes dbytes sappbytes dappbytes -r anubis.arg3 > anubis-sample.csv

Then all the fields can be recognized easily by raconvert by looking at
first line in anubis-sample.csv and can convert them to argus data format
easily.

StartTime,LastTime,Proto,SrcAddr,Sport,Dir,DstAddr,Dport,State,SrcPkts,DstPkts,SrcBytes,DstBytes,SAppBytes,DAppBytes

Just my thought, cheers ;]

-- 
Best Regards,

CS Lee<geek00L[at]gmail.com>
http://geek00l.blogspot.com
http://defcraft.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120112/dca0a610/attachment.html>

More information about the argus mailing list