Time window issue

Carter Bullard carter at qosient.com
Wed Jun 12 08:06:27 EDT 2013 

The " -w file " writes a binary file that can be read by the argus client programs.

   ra -r argus.csv

When rabins() reads records from a file, you don't need the "-B 10s" option.
The " -m proto sport dport saddr daddr " is the default, so this is not needed.

Your second example has many many errors.
For racluster() there are no " -T "," -B ", or " -W " options.
Your ralabel() command is reading from a file, so the racluster() isn't doing anything.
Using " + " in the "-M dsrs=" option doesn't do anything, and your " -s fields " option
you probably don't want the +'s.  You insert a label with ralabel(), but you don't print it?
Why not try something simple first and then build up?

   ra -r /usr/argus/data/argus.out
   ra -r /usr/argus/data/argus.out -w - | ra

   racluster -r /usr/argus/data/argus.out
   racluster -r /usr/argus/data/argus.out -w - | ra -s +sco +dco -c ,

This will let you see how the pipes work with binary data.

Use some temporary files to make it manageable at first....
 
   ralabel -r /usr/argus/data/argus.out -f /usr/local/argus/ralabel.conf  -w /tmp/argus.label.out

   ra -r /tmp/argus.label.out -s stime dur saddr sport dir daddr dport pkts label

Try something like this
   racluster -r /tmp/argus.label.out -m sco dco -s stime dur sco dir dco pkts bytes
   racluster -r /tmp/argus.label.out -m matrix/24 -s stime dur saddr dir daddr trans pkts bytes

So you can see how racluster() works. 
If you want a csv, 

   ra -r /tmp/argus.label.out -s +label -c,

Play with it for a while to see what each program does, and see what the fields do.
Then, you can quickly move to printing out many fields etc.....

Carter


On Jun 12, 2013, at 2:08 AM, Rahimeh Khodadadi <rahimeh.khodadadi at gmail.com> wrote:

> Hi Carter,
> 
> Thanks for your quick reply.I follow your advices, but when I open file to read, it is not clear by UTF-8, I attached the file.my command is:
> 
>   rabins  -M time 5m  -B 10s -m proto sport dport saddr daddr -r /usr/argus/data/argus.out -w argus.csv
> 
> and If I use command as below, it does works, note that I changed  "ARGUS_FLOW_STATUS_INTERVAL=300", but the features of output file are replicated, I attached it to mail too:
> 
> racluster  -T 300 -B 10 -p 3 -u -Z b -W -| /usr/local/bin/ralabel -r /usr/argus/data/argus.out - -f /usr/local/argus/ralabel.conf -c "," -M dsrs=+metric,+agr,+psize,+cocode -n -p 3 -u -Z b -s  "+ltime,+stime,+trans,+dur,+mean,+sco,+dco,+pkts,+spkts,+dpkts,+bytes" > racluster.csv 
> 
> Please help!!!
> 
> Thanks in advance,
> Rahimeh 
> 
> <racluster.csv><argus.csv>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130612/8e6447d0/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130612/8e6447d0/attachment.bin>

More information about the argus mailing list