dintdistact and similar data

David Edelman dedelman at iname.com
Thu Jul 4 16:35:05 EDT 2013 

Carter,

I don't have any immediate need for them but I expect that I will at some
time. I was just looking to see how ra printed a metric that has multiple
values.

The real intention was proposing the  creation of a DSR with a small amount
of metadata describing the contents of the captured user data with
information about  both source and destination user data capture
intermingled  in a single DSR to preserve the sequence information.

For each "chunk" I was thinking about something like:
	Flag for SRC or DST
	UNIX timestamp
	Length of the user data on the wire
	Length of user data that was captured (due to snap length, user
specified total capture size, or total available capture length limit)

If the SRC/DST flags and the capture lengths could be exposed as a parameter
for -s then quite a bit of information could be exploited without the need
to write a formal client. Mor sophisticated clients that dealt directly with
the DSRs could provide much more information.

Effectively something like this would be very nice to have:

$ ra -r thefile -s stime proto saddr sport dir daddr dport usermeta suser
duser -M printer='hex'  -L -1 -u

12345678.123456 udp  1.2.3.4 15320 -> 2.3.4.5 53 s:68,d125,s68,d68
0x000000 .........

0x000000 ......


Does this make sense to anyone but me?

--Dave





-----Original Message-----
From: Carter Bullard [mailto:carter at qosient.com] 
Sent: Thursday, July 04, 2013 3:42 PM
To: David Edelman
Cc: Argus
Subject: Re: [ARGUS] dintdistact and similar data

Hey Dave,
This is a place holder for printing the various interpacket arrival time
histograms
that we have support for, but haven't turned on yet.  Same for packet size
histograms,
which are implemented but also not turned on.  Was going to do them for
argus-3.0.8.

Do you have an need for them?

Carter


On Jul 4, 2013, at 11:44 AM, "David Edelman" <dedelman at iname.com> wrote:

> Carter,
> 
> I'm pretty sure that I enabled all the right things in argus.conf but I
> don't get anything when I specifiy      -s +dintdistact as an option to
ra. 
> ra is 3.0.7.10 and  and argus is 3.0.7.1 I do get the MAC addresses and
user
> data so I'm sure that the configuration file is being read and there is
only
> one argus.conf file on the system.
> 
> What should I be looking for?
> 
> --Dave
> 
> 
> ARGUS_FLOW_TYPE="Bidirectional"
> ARGUS_FLOW_KEY="CLASSIC_5_TUPLE"
> ARGUS_DAEMON=yes
> ARGUS_MONITOR_ID=`hostname`    // IPv4 address returned
> ARGUS_ACCESS_PORT=561
> ARGUS_INTERFACE=eth2
> ARGUS_GO_PROMISCUOUS=yes
> ARGUS_OUTPUT_FILE=/var/log/argus/argus.out
> ARGUS_SET_PID=yes
> ARGUS_PID_PATH="/var/run"
> ARGUS_FLOW_STATUS_INTERVAL=5
> ARGUS_MAR_STATUS_INTERVAL=60
> ARGUS_GENERATE_RESPONSE_TIME_DATA=yes
> ARGUS_GENERATE_PACKET_SIZE=yes
> ARGUS_GENERATE_JITTER_DATA=yes
> ARGUS_GENERATE_MAC_DATA=yes
> ARGUS_GENERATE_APPBYTE_METRIC=yes
> ARGUS_GENERATE_TCP_PERF_METRIC=yes
> ARGUS_GENERATE_BIDIRECTIONAL_TIMESTAMPS=yes
> ARGUS_CAPTURE_DATA_LEN=1024
> ARGUS_TUNNEL_DISCOVERY="yes"
> ARGUS_KEYSTROKE="yes"
> 
> 
> 
> 
>

More information about the argus mailing list