dintdistact and similar data

David Edelman dedelman at iname.com
Tue Jul 9 17:08:19 EDT 2013


Actually XML is quite reasonable as long as there are tools like xmlstarlet
available to make scripting a reasonable activity. The hex printer is quite
nice for user data but I think that it would be unwieldy for most anything
else.

By all means let us close out the current wave before we add any of this.

--Dave

-----Original Message-----
From: Carter Bullard [mailto:carter at qosient.com] 
Sent: Tuesday, July 09, 2013 10:27 AM
To: David Edelman
Cc: 'Argus'
Subject: Re: [ARGUS] dintdistact and similar data

Hey Dave,
Sorry for the delayed response.

OK, so framing for these free format outputs is a head scratcher.
I don't like the " hex " printer, given we have a line oriented
context for the printout.

The XML support can provide some means to " chunk " out the data.

I very much like the " usermeta " field. We have most of the data
you want to printout already in the ARGUS_USERDATA_DSR, and there
is a lot more that will be useful as we go.  Such as, "what expression
was used to grep this flow record" would be something to consider
in the metadata output.

With this concept, we should look to how the other DSRs can
benefit from a metadata field.

OK, so lets close out argus[-clients]-3.0.8 and then add this for
the next wave.  Is that cool ?

Carter

On Jul 4, 2013, at 4:35 PM, David Edelman <dedelman at iname.com> wrote:

> Carter,
> 
> I don't have any immediate need for them but I expect that I will at some
> time. I was just looking to see how ra printed a metric that has multiple
> values.
> 
> The real intention was proposing the  creation of a DSR with a small
amount
> of metadata describing the contents of the captured user data with
> information about  both source and destination user data capture
> intermingled  in a single DSR to preserve the sequence information.
> 
> For each "chunk" I was thinking about something like:
> 	Flag for SRC or DST
> 	UNIX timestamp
> 	Length of the user data on the wire
> 	Length of user data that was captured (due to snap length, user
> specified total capture size, or total available capture length limit)
> 
> If the SRC/DST flags and the capture lengths could be exposed as a
parameter
> for -s then quite a bit of information could be exploited without the need
> to write a formal client. Mor sophisticated clients that dealt directly
with
> the DSRs could provide much more information.
> 
> Effectively something like this would be very nice to have:
> 
> $ ra -r thefile -s stime proto saddr sport dir daddr dport usermeta suser
> duser -M printer='hex'  -L -1 -u
> 
> 12345678.123456 udp  1.2.3.4 15320 -> 2.3.4.5 53 s:68,d125,s68,d68
> 0x000000 .........
> 
> 0x000000 ......
> 
> 
> Does this make sense to anyone but me?
> 
> --Dave
> 
> 
> 
> 
> 
> -----Original Message-----
> From: Carter Bullard [mailto:carter at qosient.com] 
> Sent: Thursday, July 04, 2013 3:42 PM
> To: David Edelman
> Cc: Argus
> Subject: Re: [ARGUS] dintdistact and similar data
> 
> Hey Dave,
> This is a place holder for printing the various interpacket arrival time
> histograms
> that we have support for, but haven't turned on yet.  Same for packet size
> histograms,
> which are implemented but also not turned on.  Was going to do them for
> argus-3.0.8.
> 
> Do you have an need for them?
> 
> Carter
> 
> 
> On Jul 4, 2013, at 11:44 AM, "David Edelman" <dedelman at iname.com> wrote:
> 
>> Carter,
>> 
>> I'm pretty sure that I enabled all the right things in argus.conf but I
>> don't get anything when I specifiy      -s +dintdistact as an option to
> ra. 
>> ra is 3.0.7.10 and  and argus is 3.0.7.1 I do get the MAC addresses and
> user
>> data so I'm sure that the configuration file is being read and there is
> only
>> one argus.conf file on the system.
>> 
>> What should I be looking for?
>> 
>> --Dave
>> 
>> 
>> ARGUS_FLOW_TYPE="Bidirectional"
>> ARGUS_FLOW_KEY="CLASSIC_5_TUPLE"
>> ARGUS_DAEMON=yes
>> ARGUS_MONITOR_ID=`hostname`    // IPv4 address returned
>> ARGUS_ACCESS_PORT=561
>> ARGUS_INTERFACE=eth2
>> ARGUS_GO_PROMISCUOUS=yes
>> ARGUS_OUTPUT_FILE=/var/log/argus/argus.out
>> ARGUS_SET_PID=yes
>> ARGUS_PID_PATH="/var/run"
>> ARGUS_FLOW_STATUS_INTERVAL=5
>> ARGUS_MAR_STATUS_INTERVAL=60
>> ARGUS_GENERATE_RESPONSE_TIME_DATA=yes
>> ARGUS_GENERATE_PACKET_SIZE=yes
>> ARGUS_GENERATE_JITTER_DATA=yes
>> ARGUS_GENERATE_MAC_DATA=yes
>> ARGUS_GENERATE_APPBYTE_METRIC=yes
>> ARGUS_GENERATE_TCP_PERF_METRIC=yes
>> ARGUS_GENERATE_BIDIRECTIONAL_TIMESTAMPS=yes
>> ARGUS_CAPTURE_DATA_LEN=1024
>> ARGUS_TUNNEL_DISCOVERY="yes"
>> ARGUS_KEYSTROKE="yes"
>> 
>> 
>> 
>> 
>> 
> 
> 
> 





More information about the argus mailing list