raconvert problem

CS Lee geek00l at gmail.com
Thu Jan 12 12:06:54 EST 2012


hi Carter,

I use the default rarc that is provided by the argus-client, do I need to
change anything to get raconvert to work because there's nothing mentioned
in the raconvert man page regarding rarc, If I don't have .rarc file in my
home directory, it won't work either. What suppose to be in rarc file for
it raconvert to work?

I did read the raconvert man page and it says raconvert.1 expects the first
valid  string in the  file to be a ra.1 column title line, I don't really
get what this mean and hope you can clarify to me.

Thank you and hope you have good time in flocon!

On Thu, Jan 12, 2012 at 10:12 PM, Carter Bullard <carter at qosient.com> wrote:

> Hey CS Lee,
> You need to read the man page for raconvert.
> What do you have in your private .rarc?
>
> Carter
>
> On Jan 12, 2012, at 4:03 AM, CS Lee wrote:
>
> hi Carter,
>
> Today I try to check out what i can do with raconvert, however it doesn't
> seem to work and hogging the resources as well without giving result -
>
> ra -c , -r anubis.arg3 > anubis.csv
> raconvert -r anubis.csv -w anubis-convert.arg3
>
> What I get from the top comand -
>
>  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
>  6138 cslee     20   0 20052 2116  672 R   98  0.1   0:56.72 raconvert
>
> I'm using latest argus from the dev repo and this is on Ubuntu 11.10. I
> tried to run strace and here's what I get -
>
> .....
> open("/etc/localtime", O_RDONLY)        = 3
> fstat(3, {st_mode=S_IFREG|0644, st_size=2819, ...}) = 0
> fstat(3, {st_mode=S_IFREG|0644, st_size=2819, ...}) = 0
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
> 0x7f6a018f2000
> read(3, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0\0"...,
> 4096) = 2819
> lseek(3, -1802, SEEK_CUR)               = 1017
> read(3, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0\0"...,
> 4096) = 1802
> close(3)                                = 0
> munmap(0x7f6a018f2000, 4096)            = 0
> stat("/etc/ra.conf", 0x7fff5907fe40)    = -1 ENOENT (No such file or
> directory)
> stat("/home/cslee/.rarc", {st_mode=S_IFREG|0644, st_size=13474, ...}) = 0
> open("/home/cslee/.rarc", O_RDONLY)     = 3
> fstat(3, {st_mode=S_IFREG|0644, st_size=13474, ...}) = 0
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
> 0x7f6a018f2000
> read(3, "# \n#  Argus Software\n#  Copyrigh"..., 4096) = 4096
> read(3, "l ra* clients can support runnin"..., 4096) = 4096
> read(3, "# data that is provided by Argus"..., 4096) = 4096
> read(3, "terminate but retry connection a"..., 4096) = 1186
> read(3, "", 4096)                       = 0
> close(3)                                = 0
> munmap(0x7f6a018f2000, 4096)            = 0
> mmap(NULL, 401408, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
> = 0x7f6a01742000
> stat("anubis-convert.arg3", {st_mode=S_IFREG|0777, st_size=0, ...}) = 0
> getcwd("/home/cslee/pcap-repo", 4096)   = 22
> lstat("/home/cslee/pcap-repo/anubis-convert.arg3", {st_mode=S_IFREG|0777,
> st_size=0, ...}) = 0
> open("anubis.csv", O_RDONLY)            = 3
> fstat(3, {st_mode=S_IFREG|0664, st_size=507, ...}) = 0
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
> 0x7f6a01741000
> read(3, "09:17:19.179698, e        ,udp,1"..., 4096) = 507
>
> Here's where it hangs and do nothing.
>
> To better using raconvert, I was thinking maybe we can make use of ra -L0
> to print out the field description at top of the line, for example
>
> ra -L0 -c, -s stime ltime proto saddr sport dir daddr dport state spkts
> dpkts sbytes dbytes sappbytes dappbytes -r anubis.arg3 > anubis-sample.csv
>
> Then all the fields can be recognized easily by raconvert by looking at
> first line in anubis-sample.csv and can convert them to argus data format
> easily.
>
>
> StartTime,LastTime,Proto,SrcAddr,Sport,Dir,DstAddr,Dport,State,SrcPkts,DstPkts,SrcBytes,DstBytes,SAppBytes,DAppBytes
>
> Just my thought, cheers ;]
>
> --
> Best Regards,
>
> CS Lee<geek00L[at]gmail.com>
> http://geek00l.blogspot.com
> http://defcraft.net
>
>
>


-- 
Best Regards,

CS Lee<geek00L[at]gmail.com>

http://geek00l.blogspot.com
http://defcraft.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120113/80840dc7/attachment.html>


More information about the argus mailing list