ralabel
Carter Bullard
carter at qosient.com
Fri Jun 1 10:21:15 EDT 2012
Hey CS Lee,
This is what I'm getting with your configuration using ratable() from argus-clients-3.0.6 (the version on this particular machine).
I modified the paths so that they pointed to the files on my machine.
MeinTing:argus carter$ ralabel -f /tmp/ralabel.conf -D3 -S localhost -s +sco +dco +sas +das
ralabel[90016.60e93d75ff7f0000]: 2012/06/01.10:17:04.451402 ArgusAddHostList (0xf5b3000, localhost, 1, 6) returning 1
ralabel[90016.60e93d75ff7f0000]: 2012/06/01.10:17:04.913850 RaReadAddressConfig (0xf5b3000, 0x22401930, /usr/local/argus/delegated-ipv4-latest) returning 1
ralabel[90016.60e93d75ff7f0000]: 2012/06/01.10:17:04.914432 RaLabelParseResourceFile (/tmp/ralabel.conf) returning 0
ralabel[90016.60e93d75ff7f0000]: 2012/06/01.10:17:04.915113 main: reading files completed
ralabel[90016.60e93d75ff7f0000]: 2012/06/01.10:17:04.915577 Trying ::1 port 561 Expecting Argus records
ralabel[90016.60e93d75ff7f0000]: 2012/06/01.10:17:04.915704 connected
ralabel[90016.60e93d75ff7f0000]: 2012/06/01.10:17:04.915721 ArgusGetServerSocket (0x10f676000) returning 7
ralabel[90016.60e93d75ff7f0000]: 2012/06/01.10:17:04.930995 ArgusReadConnection() read 16 bytes
ralabel[90016.60e93d75ff7f0000]: 2012/06/01.10:17:04.947321 ArgusInitAddrtoname (0xf5b3000, 0x0, 0x0)
ralabel[90016.60e93d75ff7f0000]: 2012/06/01.10:17:04.947345 ArgusParseInit(0xf5b3000 0xf676000
ralabel[90016.60e93d75ff7f0000]: 2012/06/01.10:17:04.947384 ArgusWriteConnection(0xf676000, 0x6eae97e0, 7) returning 7
ralabel[90016.60e93d75ff7f0000]: 2012/06/01.10:17:04.947396 ArgusReadConnection(0xf676000, 2) returning 1
ralabel[90016.60e93d75ff7f0000]: 2012/06/01.10:17:04.947412 ArgusReadStream(0x10f5b3000) starting
StartTime Flgs Proto SrcAddr Sport Dir DstAddr Dport SrcPkts DstPkts SrcBytes DstBytes State sCo dCo sAS dAS
2012/06/01.10:17:00.348822 e icmp 10.0.1.5.0x0008 <-> 198.41.0.4.0x5e72 1 1 98 98 ECO ZZ US 9304 26415
2012/06/01.10:17:00.404013 e udp 10.0.1.5.52057 <-> 198.41.0.4.domain 1 1 78 540 CON ZZ US 9304 26415
2012/06/01.10:17:00.459639 e icmp 10.0.1.5.0x0008 <-> 198.41.0.4.0x5e77 1 1 98 98 ECO ZZ US 9304 26415
2012/06/01.10:17:00.516315 e udp 10.0.1.5.58510 <-> 198.41.0.4.domain 1 1 74 546 CON ZZ US 9304 26415
2012/06/01.10:17:00.617045 e icmp 10.0.1.5.0x0008 <-> 192.5.6.30.0x5ea0 1 1 98 98 ECO ZZ US 9304 36621
2012/06/01.10:17:00.696618 e udp 10.0.1.5.62677 <-> 192.5.6.30.domain 1 1 77 472 CON ZZ US 9304 36621
2012/06/01.10:17:00.773827 e icmp 10.0.1.5.0x0008 <-> 192.5.6.30.0x5ea5 1 1 98 98 ECO ZZ US 9304 36621
2012/06/01.10:17:00.853761 e udp 10.0.1.5.64593 <-> 192.5.6.30.domain 1 1 71 194 CON ZZ US 9304 36621
2012/06/01.10:17:00.930874 e icmp 10.0.1.5.0x0008 <-> 192.5.6.30.0x5eaa 1 1 98 98 ECO ZZ US 9304 36621
2012/06/01.10:17:01.027358 e udp 10.0.1.5.64552 <-> 192.5.6.30.domain 1 1 76 378 CON ZZ US 9304 36621
2012/06/01.10:17:01.109282 e icmp 10.0.1.5.0x0008 <-> 128.2.1.8.0x5eb2 1 1 98 98 ECO ZZ US 9304 9
2012/06/01.10:17:01.159341 e udp 10.0.1.5.55848 <-> 128.2.1.8.domain 1 1 79 175 CON ZZ US 9304 9
2012/06/01.10:17:01.207815 e icmp 10.0.1.5.0x0008 <-> 128.2.1.8.0x5eb7 1 1 98 98 ECO ZZ US 9304 9
2012/06/01.10:17:01.258176 e udp 10.0.1.5.56010 <-> 128.2.1.8.domain 1 1 82 230 CON ZZ US 9304 9
2012/06/01.10:17:01.303089 e icmp 10.0.1.5.0x0008 <-> 128.32.136.3.0x5ebc 1 1 98 98 ECO ZZ US 9304 25
2012/06/01.10:17:01.408268 e udp 10.0.1.5.65066 <-> 128.32.136.3.domain 1 1 78 430 CON ZZ US 9304 25
2012/06/01.10:17:01.507908 e icmp 10.0.1.5.0x0008 <-> 128.32.136.3.0x5ec1 1 1 98 98 ECO ZZ US 9304 25
2012/06/01.10:17:01.613547 e udp 10.0.1.5.54108 <-> 128.32.136.3.domain 1 1 80 263 CON ZZ US 9304 25
So I'm getting stuff. Do you have files in the appropriate places ? /nsmon/file/ ?
Carter
On Jun 1, 2012, at 2:02 AM, CS Lee wrote:
> hi Carter,
>
> Has you updated ralabel, it doesn't seem to work on version 3.0.6.1, when I run
>
> /usr/local/stow/argusc-3.0.6.1/bin/ralabel -f /nsmon/etc/ralabel.conf -S 10.10.10.1:561 -w - | ra -n -s stime proto saddr sport dir daddr dport state sco dco sas das
> 12:28:55.523218 udp 1.2.3.4.64507 <-> 15.15.15.15.53 CON
> 12:28:55.597702 udp 1.2.3.4.32771 <- 2.3.4.5.53 RSP
> 12:28:55.647515 udp 1.2.3.4.60581 <-> 15.15.15.15.53 CON
>
> You can see nothing shows up, if I use 3.0.5.34, it seems to be working. My ralabel.conf has these few lines enabled
>
> RALABEL_ARIN_COUNTRY_CODES=yes
> RA_DELEGATED_IP="/nsmon/file/delegated-ipv4-latest"
> RALABEL_GEOIP_ASN=yes
> RALABEL_GEOIP_ASN_FILE="/nsmon/file/GeoIPASNum.dat"
>
> Cheers!
>
> --
> Best Regards,
>
> CS Lee<geek00L[at]gmail.com>
>
> http://geek00l.blogspot.com
> http://defcraft.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120601/805fdb3a/attachment.html>
More information about the argus
mailing list