raconvert problem

CS Lee geek00l at gmail.com
Thu Jan 12 15:20:00 EST 2012


hi Carter,

I figured out why raconvert is not working, if I set this line in .rarc -

RA_FIELD_SPECIFIER="stime ltime dur flgs proto saddr sport dir daddr dport
spkts dpkts sbytes dbytes state"

It will work, however if I add sappbytes and dappbytes fields, it won't work

RA_FIELD_SPECIFIER="stime ltime dur flgs proto saddr sport dir daddr dport
spkts dpkts sbytes dbytes sappbytes dappbytes state"

Then I remember you mentioned not all fields are supported in raconvert yet
in mailing list, so my guess is sappbytes and dappbytes are not yet
supported(haven't tested for fields such as suser,duser or swin, dwin yet.
Other than that it seems to be working.

On Fri, Jan 13, 2012 at 1:06 AM, CS Lee <geek00l at gmail.com> wrote:

> hi Carter,
>
> I use the default rarc that is provided by the argus-client, do I need to
> change anything to get raconvert to work because there's nothing mentioned
> in the raconvert man page regarding rarc, If I don't have .rarc file in my
> home directory, it won't work either. What suppose to be in rarc file for
> it raconvert to work?
>
> I did read the raconvert man page and it says raconvert.1 expects the
> first valid  string in the  file to be a ra.1 column title line, I don't
> really get what this mean and hope you can clarify to me.
>
> Thank you and hope you have good time in flocon!
>
>
> On Thu, Jan 12, 2012 at 10:12 PM, Carter Bullard <carter at qosient.com>wrote:
>
>> Hey CS Lee,
>> You need to read the man page for raconvert.
>> What do you have in your private .rarc?
>>
>> Carter
>>
>> On Jan 12, 2012, at 4:03 AM, CS Lee wrote:
>>
>> hi Carter,
>>
>> Today I try to check out what i can do with raconvert, however it doesn't
>> seem to work and hogging the resources as well without giving result -
>>
>> ra -c , -r anubis.arg3 > anubis.csv
>> raconvert -r anubis.csv -w anubis-convert.arg3
>>
>> What I get from the top comand -
>>
>>  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
>>  6138 cslee     20   0 20052 2116  672 R   98  0.1   0:56.72 raconvert
>>
>> I'm using latest argus from the dev repo and this is on Ubuntu 11.10. I
>> tried to run strace and here's what I get -
>>
>> .....
>> open("/etc/localtime", O_RDONLY)        = 3
>> fstat(3, {st_mode=S_IFREG|0644, st_size=2819, ...}) = 0
>> fstat(3, {st_mode=S_IFREG|0644, st_size=2819, ...}) = 0
>> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
>> = 0x7f6a018f2000
>> read(3, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0\0"...,
>> 4096) = 2819
>> lseek(3, -1802, SEEK_CUR)               = 1017
>> read(3, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0\0"...,
>> 4096) = 1802
>> close(3)                                = 0
>> munmap(0x7f6a018f2000, 4096)            = 0
>> stat("/etc/ra.conf", 0x7fff5907fe40)    = -1 ENOENT (No such file or
>> directory)
>> stat("/home/cslee/.rarc", {st_mode=S_IFREG|0644, st_size=13474, ...}) = 0
>> open("/home/cslee/.rarc", O_RDONLY)     = 3
>> fstat(3, {st_mode=S_IFREG|0644, st_size=13474, ...}) = 0
>> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
>> = 0x7f6a018f2000
>> read(3, "# \n#  Argus Software\n#  Copyrigh"..., 4096) = 4096
>> read(3, "l ra* clients can support runnin"..., 4096) = 4096
>> read(3, "# data that is provided by Argus"..., 4096) = 4096
>> read(3, "terminate but retry connection a"..., 4096) = 1186
>> read(3, "", 4096)                       = 0
>> close(3)                                = 0
>> munmap(0x7f6a018f2000, 4096)            = 0
>> mmap(NULL, 401408, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
>> 0) = 0x7f6a01742000
>> stat("anubis-convert.arg3", {st_mode=S_IFREG|0777, st_size=0, ...}) = 0
>> getcwd("/home/cslee/pcap-repo", 4096)   = 22
>> lstat("/home/cslee/pcap-repo/anubis-convert.arg3", {st_mode=S_IFREG|0777,
>> st_size=0, ...}) = 0
>> open("anubis.csv", O_RDONLY)            = 3
>> fstat(3, {st_mode=S_IFREG|0664, st_size=507, ...}) = 0
>> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
>> = 0x7f6a01741000
>> read(3, "09:17:19.179698, e        ,udp,1"..., 4096) = 507
>>
>> Here's where it hangs and do nothing.
>>
>> To better using raconvert, I was thinking maybe we can make use of ra -L0
>> to print out the field description at top of the line, for example
>>
>> ra -L0 -c, -s stime ltime proto saddr sport dir daddr dport state spkts
>> dpkts sbytes dbytes sappbytes dappbytes -r anubis.arg3 > anubis-sample.csv
>>
>> Then all the fields can be recognized easily by raconvert by looking at
>> first line in anubis-sample.csv and can convert them to argus data format
>> easily.
>>
>>
>> StartTime,LastTime,Proto,SrcAddr,Sport,Dir,DstAddr,Dport,State,SrcPkts,DstPkts,SrcBytes,DstBytes,SAppBytes,DAppBytes
>>
>> Just my thought, cheers ;]
>>
>> --
>> Best Regards,
>>
>> CS Lee<geek00L[at]gmail.com>
>> http://geek00l.blogspot.com
>> http://defcraft.net
>>
>>
>>
>
>
> --
> Best Regards,
>
> CS Lee<geek00L[at]gmail.com>
>
> http://geek00l.blogspot.com
> http://defcraft.net
>



-- 
Best Regards,

CS Lee<geek00L[at]gmail.com>

http://geek00l.blogspot.com
http://defcraft.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120113/8e0339e3/attachment.html>


More information about the argus mailing list