raconvert problem

Carter Bullard carter at qosient.com
Thu Jan 12 09:12:41 EST 2012 

Hey CS Lee,
You need to read the man page for raconvert.
What do you have in your private .rarc?

Carter

On Jan 12, 2012, at 4:03 AM, CS Lee wrote:

> hi Carter,
> 
> Today I try to check out what i can do with raconvert, however it doesn't seem to work and hogging the resources as well without giving result -
> 
> ra -c , -r anubis.arg3 > anubis.csv
> raconvert -r anubis.csv -w anubis-convert.arg3
> 
> What I get from the top comand -
> 
>  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
>  6138 cslee     20   0 20052 2116  672 R   98  0.1   0:56.72 raconvert
> 
> I'm using latest argus from the dev repo and this is on Ubuntu 11.10. I tried to run strace and here's what I get -
> 
> .....
> open("/etc/localtime", O_RDONLY)        = 3
> fstat(3, {st_mode=S_IFREG|0644, st_size=2819, ...}) = 0
> fstat(3, {st_mode=S_IFREG|0644, st_size=2819, ...}) = 0
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f6a018f2000
> read(3, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0\0"..., 4096) = 2819
> lseek(3, -1802, SEEK_CUR)               = 1017
> read(3, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0\0"..., 4096) = 1802
> close(3)                                = 0
> munmap(0x7f6a018f2000, 4096)            = 0
> stat("/etc/ra.conf", 0x7fff5907fe40)    = -1 ENOENT (No such file or directory)
> stat("/home/cslee/.rarc", {st_mode=S_IFREG|0644, st_size=13474, ...}) = 0
> open("/home/cslee/.rarc", O_RDONLY)     = 3
> fstat(3, {st_mode=S_IFREG|0644, st_size=13474, ...}) = 0
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f6a018f2000
> read(3, "# \n#  Argus Software\n#  Copyrigh"..., 4096) = 4096
> read(3, "l ra* clients can support runnin"..., 4096) = 4096
> read(3, "# data that is provided by Argus"..., 4096) = 4096
> read(3, "terminate but retry connection a"..., 4096) = 1186
> read(3, "", 4096)                       = 0
> close(3)                                = 0
> munmap(0x7f6a018f2000, 4096)            = 0
> mmap(NULL, 401408, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f6a01742000
> stat("anubis-convert.arg3", {st_mode=S_IFREG|0777, st_size=0, ...}) = 0
> getcwd("/home/cslee/pcap-repo", 4096)   = 22
> lstat("/home/cslee/pcap-repo/anubis-convert.arg3", {st_mode=S_IFREG|0777, st_size=0, ...}) = 0
> open("anubis.csv", O_RDONLY)            = 3
> fstat(3, {st_mode=S_IFREG|0664, st_size=507, ...}) = 0
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f6a01741000
> read(3, "09:17:19.179698, e        ,udp,1"..., 4096) = 507
> 
> Here's where it hangs and do nothing. 
> 
> To better using raconvert, I was thinking maybe we can make use of ra -L0 to print out the field description at top of the line, for example 
> 
> ra -L0 -c, -s stime ltime proto saddr sport dir daddr dport state spkts dpkts sbytes dbytes sappbytes dappbytes -r anubis.arg3 > anubis-sample.csv
>  
> Then all the fields can be recognized easily by raconvert by looking at first line in anubis-sample.csv and can convert them to argus data format easily.
> 
> StartTime,LastTime,Proto,SrcAddr,Sport,Dir,DstAddr,Dport,State,SrcPkts,DstPkts,SrcBytes,DstBytes,SAppBytes,DAppBytes
> 
> Just my thought, cheers ;]
> 
> -- 
> Best Regards,
> 
> CS Lee<geek00L[at]gmail.com>
> http://geek00l.blogspot.com
> http://defcraft.net

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120112/01bae2f6/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4367 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120112/01bae2f6/attachment.bin>

More information about the argus mailing list