raconvert problem
Carter Bullard
carter at qosient.com
Thu Jan 12 16:29:42 EST 2012
Hey CS Lee,
I have made changes to the raconvert man page to make it a bit clearer, as you suggested !! It did need work.
I put in an entry for how the ascii file should be generated, along with an example of how raconvert could be run. Take a look in clients-3.0.5.30, which I'll put up tomorrow.
I'll also add some logic to raconvert so that it will discover that the title line is missing, and generate an error.
Thanks!!!!
Carter
Carter Bullard, QoSient, LLC
150 E. 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax
On Jan 12, 2012, at 11:06 AM, CS Lee <geek00l at gmail.com> wrote:
> hi Carter,
>
> I use the default rarc that is provided by the argus-client, do I need to change anything to get raconvert to work because there's nothing mentioned in the raconvert man page regarding rarc, If I don't have .rarc file in my home directory, it won't work either. What suppose to be in rarc file for it raconvert to work?
>
> I did read the raconvert man page and it says raconvert.1 expects the first valid string in the file to be a ra.1 column title line, I don't really get what this mean and hope you can clarify to me.
>
> Thank you and hope you have good time in flocon!
>
> On Thu, Jan 12, 2012 at 10:12 PM, Carter Bullard <carter at qosient.com> wrote:
> Hey CS Lee,
> You need to read the man page for raconvert.
> What do you have in your private .rarc?
>
> Carter
>
> On Jan 12, 2012, at 4:03 AM, CS Lee wrote:
>
>> hi Carter,
>>
>> Today I try to check out what i can do with raconvert, however it doesn't seem to work and hogging the resources as well without giving result -
>>
>> ra -c , -r anubis.arg3 > anubis.csv
>> raconvert -r anubis.csv -w anubis-convert.arg3
>>
>> What I get from the top comand -
>>
>> PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
>> 6138 cslee 20 0 20052 2116 672 R 98 0.1 0:56.72 raconvert
>>
>> I'm using latest argus from the dev repo and this is on Ubuntu 11.10. I tried to run strace and here's what I get -
>>
>> .....
>> open("/etc/localtime", O_RDONLY) = 3
>> fstat(3, {st_mode=S_IFREG|0644, st_size=2819, ...}) = 0
>> fstat(3, {st_mode=S_IFREG|0644, st_size=2819, ...}) = 0
>> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f6a018f2000
>> read(3, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0\0"..., 4096) = 2819
>> lseek(3, -1802, SEEK_CUR) = 1017
>> read(3, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0\0"..., 4096) = 1802
>> close(3) = 0
>> munmap(0x7f6a018f2000, 4096) = 0
>> stat("/etc/ra.conf", 0x7fff5907fe40) = -1 ENOENT (No such file or directory)
>> stat("/home/cslee/.rarc", {st_mode=S_IFREG|0644, st_size=13474, ...}) = 0
>> open("/home/cslee/.rarc", O_RDONLY) = 3
>> fstat(3, {st_mode=S_IFREG|0644, st_size=13474, ...}) = 0
>> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f6a018f2000
>> read(3, "# \n# Argus Software\n# Copyrigh"..., 4096) = 4096
>> read(3, "l ra* clients can support runnin"..., 4096) = 4096
>> read(3, "# data that is provided by Argus"..., 4096) = 4096
>> read(3, "terminate but retry connection a"..., 4096) = 1186
>> read(3, "", 4096) = 0
>> close(3) = 0
>> munmap(0x7f6a018f2000, 4096) = 0
>> mmap(NULL, 401408, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f6a01742000
>> stat("anubis-convert.arg3", {st_mode=S_IFREG|0777, st_size=0, ...}) = 0
>> getcwd("/home/cslee/pcap-repo", 4096) = 22
>> lstat("/home/cslee/pcap-repo/anubis-convert.arg3", {st_mode=S_IFREG|0777, st_size=0, ...}) = 0
>> open("anubis.csv", O_RDONLY) = 3
>> fstat(3, {st_mode=S_IFREG|0664, st_size=507, ...}) = 0
>> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f6a01741000
>> read(3, "09:17:19.179698, e ,udp,1"..., 4096) = 507
>>
>> Here's where it hangs and do nothing.
>>
>> To better using raconvert, I was thinking maybe we can make use of ra -L0 to print out the field description at top of the line, for example
>>
>> ra -L0 -c, -s stime ltime proto saddr sport dir daddr dport state spkts dpkts sbytes dbytes sappbytes dappbytes -r anubis.arg3 > anubis-sample.csv
>>
>> Then all the fields can be recognized easily by raconvert by looking at first line in anubis-sample.csv and can convert them to argus data format easily.
>>
>> StartTime,LastTime,Proto,SrcAddr,Sport,Dir,DstAddr,Dport,State,SrcPkts,DstPkts,SrcBytes,DstBytes,SAppBytes,DAppBytes
>>
>> Just my thought, cheers ;]
>>
>> --
>> Best Regards,
>>
>> CS Lee<geek00L[at]gmail.com>
>> http://geek00l.blogspot.com
>> http://defcraft.net
>
>
>
>
> --
> Best Regards,
>
> CS Lee<geek00L[at]gmail.com>
>
> http://geek00l.blogspot.com
> http://defcraft.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120112/2d720f96/attachment.html>
More information about the argus
mailing list