Argus Client Problems Reading with Record Offsets
Dave Edelman
dedelman at iname.com
Sun Nov 25 16:51:38 EST 2012
I've just started to experiment with rasqltimeindex and after a bit of
tinkering I have time index information for about three years of flow
information files. While I was verifying the accuracy of the data, I
discovered two interesting facts:
. Argus clients are able to provide accurate starting offsets for records in
a compressed archive but they are unable to use the offset values to
subsequently retrieve records or record ranges. This is not a problem if the
file is uncompressed and then read using the record offsets.
. A read with a starting and ending offset does not return the final record.
ra -r snk.2012.02.05.22.gz -s +offset -L 10
StartTime Flgs Proto SrcAddr Sport Dir
DstAddr Dport TotPkts TotBytes State Offset
Sun 2012-02-05 22:59:59.740 Ne tcp xxx.xx.105.63.53890 ->
xx.xx.70.5.657 1 60 REQ 18887684
Sun 2012-02-05 22:59:59.816 Ne tcp xxx.xxx.137.13.34313 ->
xxx.xx.65.222.8000 1 60 REQ 18887792
Sun 2012-02-05 22:59:59.860 Ne tcp xxx.xx.153.150.2977 ->
xxx.xx.139.178.80 1 48 REQ 18887900
Sun 2012-02-05 22:59:59.860 Ne tcp xxx.xx.153.150.2978 ->
xx.xx.210.24.80 1 48 REQ 18888008
Sun 2012-02-05 22:59:59.924 Ne tcp xx.xxx.105.212.50657 ->
xxx.xx.70.5.657 1 60 REQ 18888116
ra -r snk.2012.02.05.22.gz::18887900:18888116 -s +offset
gunzip snk.2012.02.05.22.gz
ra -r snk.2012.02.05.22::18887900:18888116 -s +offset
StartTime Flgs Proto SrcAddr Sport Dir
DstAddr Dport TotPkts TotBytes State Offset
Sun 2012-02-05 22:59:59.860 Ne tcp xxx.xx.153.150.2977 ->
xxx.xx.139.178.80 1 48 REQ 18887900
Sun 2012-02-05 22:59:59.860 Ne tcp xxx.xx.153.150.2978 ->
xx.xx.210.24.80 1 48 REQ 18888008
I still have a bit more tinkering to do on the rasql end of things, I'll
keep the list informed of any progress.
--Dave
More information about the argus
mailing list