raconvert problem

Carter Bullard carter at qosient.com
Thu Jan 12 16:33:27 EST 2012 

Well, supporting sappbytes and dappbytes in raconvert is an easy fix.  I'll do that and I'll also put in an appropriate error message if any unrecognized field is found!!!

Carter

Carter Bullard, QoSient, LLC
150 E. 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax

On Jan 12, 2012, at 2:20 PM, CS Lee <geek00l at gmail.com> wrote:

> hi Carter,
> 
> I figured out why raconvert is not working, if I set this line in .rarc -
> 
> RA_FIELD_SPECIFIER="stime ltime dur flgs proto saddr sport dir daddr dport spkts dpkts sbytes dbytes state"
> 
> It will work, however if I add sappbytes and dappbytes fields, it won't work
> 
> RA_FIELD_SPECIFIER="stime ltime dur flgs proto saddr sport dir daddr dport spkts dpkts sbytes dbytes sappbytes dappbytes state"
> 
> Then I remember you mentioned not all fields are supported in raconvert yet in mailing list, so my guess is sappbytes and dappbytes are not yet supported(haven't tested for fields such as suser,duser or swin, dwin yet. Other than that it seems to be working.
> 
> On Fri, Jan 13, 2012 at 1:06 AM, CS Lee <geek00l at gmail.com> wrote:
> hi Carter, 
> 
> I use the default rarc that is provided by the argus-client, do I need to change anything to get raconvert to work because there's nothing mentioned in the raconvert man page regarding rarc, If I don't have .rarc file in my home directory, it won't work either. What suppose to be in rarc file for it raconvert to work?
> 
> I did read the raconvert man page and it says raconvert.1 expects the first valid  string in the  file to be a ra.1 column title line, I don't really get what this mean and hope you can clarify to me.
> 
> Thank you and hope you have good time in flocon!
> 
> 
> On Thu, Jan 12, 2012 at 10:12 PM, Carter Bullard <carter at qosient.com> wrote:
> Hey CS Lee,
> You need to read the man page for raconvert.
> What do you have in your private .rarc?
> 
> Carter
> 
> On Jan 12, 2012, at 4:03 AM, CS Lee wrote:
> 
>> hi Carter,
>> 
>> Today I try to check out what i can do with raconvert, however it doesn't seem to work and hogging the resources as well without giving result -
>> 
>> ra -c , -r anubis.arg3 > anubis.csv
>> raconvert -r anubis.csv -w anubis-convert.arg3
>> 
>> What I get from the top comand -
>> 
>>  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
>>  6138 cslee     20   0 20052 2116  672 R   98  0.1   0:56.72 raconvert
>> 
>> I'm using latest argus from the dev repo and this is on Ubuntu 11.10. I tried to run strace and here's what I get -
>> 
>> .....
>> open("/etc/localtime", O_RDONLY)        = 3
>> fstat(3, {st_mode=S_IFREG|0644, st_size=2819, ...}) = 0
>> fstat(3, {st_mode=S_IFREG|0644, st_size=2819, ...}) = 0
>> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f6a018f2000
>> read(3, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0\0"..., 4096) = 2819
>> lseek(3, -1802, SEEK_CUR)               = 1017
>> read(3, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0\0"..., 4096) = 1802
>> close(3)                                = 0
>> munmap(0x7f6a018f2000, 4096)            = 0
>> stat("/etc/ra.conf", 0x7fff5907fe40)    = -1 ENOENT (No such file or directory)
>> stat("/home/cslee/.rarc", {st_mode=S_IFREG|0644, st_size=13474, ...}) = 0
>> open("/home/cslee/.rarc", O_RDONLY)     = 3
>> fstat(3, {st_mode=S_IFREG|0644, st_size=13474, ...}) = 0
>> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f6a018f2000
>> read(3, "# \n#  Argus Software\n#  Copyrigh"..., 4096) = 4096
>> read(3, "l ra* clients can support runnin"..., 4096) = 4096
>> read(3, "# data that is provided by Argus"..., 4096) = 4096
>> read(3, "terminate but retry connection a"..., 4096) = 1186
>> read(3, "", 4096)                       = 0
>> close(3)                                = 0
>> munmap(0x7f6a018f2000, 4096)            = 0
>> mmap(NULL, 401408, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f6a01742000
>> stat("anubis-convert.arg3", {st_mode=S_IFREG|0777, st_size=0, ...}) = 0
>> getcwd("/home/cslee/pcap-repo", 4096)   = 22
>> lstat("/home/cslee/pcap-repo/anubis-convert.arg3", {st_mode=S_IFREG|0777, st_size=0, ...}) = 0
>> open("anubis.csv", O_RDONLY)            = 3
>> fstat(3, {st_mode=S_IFREG|0664, st_size=507, ...}) = 0
>> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f6a01741000
>> read(3, "09:17:19.179698, e        ,udp,1"..., 4096) = 507
>> 
>> Here's where it hangs and do nothing. 
>> 
>> To better using raconvert, I was thinking maybe we can make use of ra -L0 to print out the field description at top of the line, for example 
>> 
>> ra -L0 -c, -s stime ltime proto saddr sport dir daddr dport state spkts dpkts sbytes dbytes sappbytes dappbytes -r anubis.arg3 > anubis-sample.csv
>>  
>> Then all the fields can be recognized easily by raconvert by looking at first line in anubis-sample.csv and can convert them to argus data format easily.
>> 
>> StartTime,LastTime,Proto,SrcAddr,Sport,Dir,DstAddr,Dport,State,SrcPkts,DstPkts,SrcBytes,DstBytes,SAppBytes,DAppBytes
>> 
>> Just my thought, cheers ;]
>> 
>> -- 
>> Best Regards,
>> 
>> CS Lee<geek00L[at]gmail.com>
>> http://geek00l.blogspot.com
>> http://defcraft.net
> 
> 
> 
> 
> -- 
> Best Regards,
> 
> CS Lee<geek00L[at]gmail.com>
> 
> http://geek00l.blogspot.com
> http://defcraft.net
> 
> 
> 
> -- 
> Best Regards,
> 
> CS Lee<geek00L[at]gmail.com>
> 
> http://geek00l.blogspot.com
> http://defcraft.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120112/3eba094e/attachment.html>

More information about the argus mailing list