Fwd: Fwd: Why the pcap file time different with argus file?

Rahimeh Khodadadi rahimeh.khodadadi at gmail.com
Thu Jul 18 08:09:56 EDT 2013 

Hi,

When I use time function to convert the time, the duration field get false.
This is my command to convert the time:
update argus.ze1 set stime=FROM_UNIXTIME(stime, '%Y-%m-%d-%h:%i:%s %x') ;
I use for stime, ltime and dur fields:

stime
ltime                                   dur
2013-07-11-12:47:42     '2013-07-11-01:34:08 '
'04:16:26'

but the dur filed should have contain only min,sec

???





On Thu, Jul 18, 2013 at 11:16 AM, Rahimeh Khodadadi <
rahimeh.khodadadi at gmail.com> wrote:

> Thanks Careter , just I run the command which you had been said, but the
> sas , das are 0.
> Is it something in config file that I should change?
>
>
>
>
> On Wed, Jul 17, 2013 at 3:48 AM, Carter Bullard <carter at qosient.com>wrote:
>
>> To get the right format for time, get rid of the " -u " option.
>>
>> Your -M options are not going to do anything, so get rid of them.
>> You don't need to use sco in your flow key, when you have the saddr,
>> the two together will be invariant.  So in this case don't use the -m
>> option.
>>
>> To get the source and destination AS numbers, use the correct field
>> name, sas and das.  cco is not a printable field, that is a directive for
>> ralabel.conf.
>>
>> So try this:
>>
>>    rasqlinsert  -r /usr/ze1.argus -w mysql://root@localhost/argus/ze1 \
>>       -s stime ltime dur srcid flgs proto saddr sport dir daddr dport
>> pkts \
>>       bytes state spkts dpkts sbytes dbytes dco sco das sas rate
>>
>> Be sure and drop the ze1 table before you try to insert data.
>> Carter
>>
>> On Jul 16, 2013, at 5:57 PM, Rahimeh Khodadadi <
>> rahimeh.khodadadi at gmail.com> wrote:
>>
>> This is a command to insert to Mysql:
>> rasqlinsert  -r /usr/ze1.argus -u -n  -w mysql://root@localhost/argus/ze1-M asn,flow,net,metric  -m srcid proto saddr sport daddr dport sco -s stime
>> ltime dur srcid flgs proto saddr sport dir daddr dport pkts bytes  state
>> spkts dpkts sbytes dbytes cco dco  sco asn rate
>>
>> I use the last version of argus tools.
>>
>> I try again to change the time but, they aren't been changed.
>> What do I send? the Execl files?
>>
>>
>> On Wed, Jul 17, 2013 at 2:03 AM, Matt Brown <matthewbrown at gmail.com>wrote:
>>
>>> Cool.  When you are done, send it along, I'd like to read it.
>>>
>>> I asked about how you are running rasqlinsert, can you answer those
>>> questions?  Also mention the versions.
>>>
>>>
>>> Thanks,
>>>
>>> Matt
>>>
>>>
>>> On Jul 16, 2013, at 5:17 PM, Rahimeh Khodadadi <
>>> rahimeh.khodadadi at gmail.com> wrote:
>>>
>>> Thanks matt, yes these data is true, but the date is false,the traffic
>>> is for some months ago.
>>> I need for my thesis for malware detection .
>>>
>>>
>>>
>>> On Wed, Jul 17, 2013 at 12:42 AM, Matt Brown <matthewbrown at gmail.com>wrote:
>>>
>>>> What do you mean you use rasqlinsert to produce an excel file?
>>>>
>>>> I took that file and converted it to csv using a python script and
>>>> grabbed the output values:
>>>>
>>>> stime   ltime
>>>> 1372259431.683500       1372259921.730430
>>>> 1372259314.034800       1372259925.130720
>>>> 1372259654.367450       1372259672.024800
>>>> 1372259654.311510       1372259672.024230
>>>> 1372259654.319140       1372259672.024530
>>>> 1372259318.612620       1372259328.224180
>>>> 1372259651.333600       1372259660.941450
>>>> 1372259655.098180       1372259664.705390
>>>> 1372259637.994970       1372259647.598410
>>>> 1372259635.910490       1372259645.510330
>>>> 1372259637.031860       1372259646.652200
>>>> 1372259643.740570       1372259653.340660
>>>> 1372259636.938400       1372259646.547430
>>>> 1372259655.281570       1372259664.891150
>>>> 1372259616.605260       1372259630.180310
>>>> 1372259616.611370       1372259634.127200
>>>>
>>>> Can you confirm these are the numbers in those columns?  If not, then
>>>> the rest of this email is irrelevant.
>>>>
>>>>
>>>> These are unix times.
>>>>
>>>> Natively, in Excel, you can convert these as follows:
>>>>
>>>> 1) Highlight the cells
>>>> 2) Go to Format> Cells
>>>> 3) Under Category select Date on the left side of the Format Cells
>>>> window
>>>> 4) Under Type on the right side of the Format Cells window select the
>>>> relevant display format that you'd like to render the floats.
>>>> 5) Click OK
>>>>
>>>> Oddly, Excel wouldn't handle the conversion reporting the datetimes as
>>>> "negative"...
>>>>
>>>> Instead, I used LibreOffice calc and converted the stime column as
>>>> follows:
>>>>
>>>> 09/16/23466 16:24:14
>>>> 05/22/23466 00:50:07
>>>> 04/27/23467 08:49:08
>>>> 04/27/23467 07:28:34
>>>> 04/27/23467 07:39:34
>>>> 05/26/23466 14:42:10
>>>> 04/24/23467 08:00:23
>>>> 04/28/23467 02:21:23
>>>> 04/10/23467 23:52:45
>>>> 04/08/23467 21:51:06
>>>> 04/10/23467 00:45:53
>>>> 04/16/23467 17:46:25
>>>> 04/09/23467 22:31:18
>>>> 04/28/23467 06:45:28
>>>> 03/20/23467 14:31:34
>>>> 03/20/23467 14:40:22
>>>>
>>>>
>>>> Carter will be happy because his software is still being used 21454
>>>> years from now, and people have figured out how to send email back in time.
>>>>
>>>> These numbers are VERY odd.  What are you doing to derive them?  Using
>>>> rasqlinsert()?  What is your rasqlinsert() command line invocation?
>>>>
>>>>
>>>> Thanks,
>>>>
>>>> Matt
>>>>
>>>>
>>>> On Jul 16, 2013, at 4:03 PM, Rahimeh Khodadadi <
>>>> rahimeh.khodadadi at gmail.com> wrote:
>>>>
>>>> Yes, But If I use rasqlinsert to produce a Excel file is the same.
>>>> Thanks for your quich reply
>>>>
>>>>
>>>> On Wed, Jul 17, 2013 at 12:20 AM, Matt Brown <matthewbrown at gmail.com>wrote:
>>>>
>>>>> How are you getting these data values?  Via MySQL query browser?
>>>>>
>>>>>  Read docs on...
>>>>>> Mysql's: unix_timestamp(), str_to_date()
>>>>>>
>>>>>
>>>>> These will help you specify your queries.
>>>>>
>>>>>
>>>>> On Jul 16, 2013, at 3:48 PM, Rahimeh Khodadadi <
>>>>> rahimeh.khodadadi at gmail.com> wrote:
>>>>>
>>>>> Read docs on...
>>>>> Mysql's: unix_timestamp(), str_to_date()
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> With Best Regards
>>>> Rahimeh Khodadadi
>>>>
>>>>
>>>
>>>
>>> --
>>> With Best Regards
>>> Rahimeh Khodadadi
>>>
>>>
>>
>>
>> --
>> With Best Regards
>> Rahimeh Khodadadi
>>
>>
>>
>
>
> --
> With Best Regards
> Rahimeh Khodadadi
>
>


-- 
With Best Regards
Rahimeh Khodadadi




-- 
With Best Regards
Rahimeh Khodadadi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130718/f5361d6f/attachment.html>

More information about the argus mailing list