Time window issue

Thu Jun 13 11:14:13 EDT 2013

Thanks Carter, my goal of using racluster, rabins to read my data, then
classify by time window with 5m.
But in these output files I didn't this feature, which ipdaress with all
feature like port dur ,.... be grouped in a label. for example all ip
adress that their times within 1-5 be grouped in a label.  I want create a
flow of traffic. Is there any other work to do?

Thanks

On Wed, Jun 12, 2013 at 5:02 PM, Rahimeh Khodadadi <
rahimeh.khodadadi at gmail.com> wrote:

> Thanks Carter, my goal of using racluster, rabins to read my data, then
> classify by time window with 5m.
> But in these output files I didn't this feature, which ipdaress with all
> feature like port dur ,.... be grouped in a label. for example all ip
> adress that their times within 1-5 be grouped in a label.  I want create a
> flow of traffic. Is there any other work to do?
>
> Thanks
>
>
> On Wed, Jun 12, 2013 at 4:36 PM, Carter Bullard <carter at qosient.com>wrote:
>
>> The " -w file " writes a binary file that can be read by the argus client
>> programs.
>>
>>    ra -r argus.csv
>>
>> When rabins() reads records from a file, you don't need the "-B 10s"
>> option.
>> The " -m proto sport dport saddr daddr " is the default, so this is not
>> needed.
>>
>> Your second example has many many errors.
>> For racluster() there are no " -T "," -B ", or " -W " options.
>> Your ralabel() command is reading from a file, so the racluster() isn't
>> doing anything.
>> Using " + " in the "-M dsrs=" option doesn't do anything, and your " -s
>> fields " option
>> you probably don't want the +'s.  You insert a label with ralabel(), but
>> you don't print it?
>> Why not try something simple first and then build up?
>>
>>    ra -r /usr/argus/data/argus.out
>>    ra -r /usr/argus/data/argus.out -w - | ra
>>
>>    racluster -r /usr/argus/data/argus.out
>>    racluster -r /usr/argus/data/argus.out -w - | ra -s +sco +dco -c ,
>>
>> This will let you see how the pipes work with binary data.
>>
>> Use some temporary files to make it manageable at first....
>>
>>    ralabel -r /usr/argus/data/argus.out -f /usr/local/argus/ralabel.conf
>>  -w /tmp/argus.label.out
>>
>>    ra -r /tmp/argus.label.out -s stime dur saddr sport dir daddr dport
>> pkts label
>>
>> Try something like this
>>    racluster -r /tmp/argus.label.out -m sco dco -s stime dur sco dir dco
>> pkts bytes
>>    racluster -r /tmp/argus.label.out -m matrix/24 -s stime dur saddr dir
>> daddr trans pkts bytes
>>
>> So you can see how racluster() works.
>> If you want a csv,
>>
>>    ra -r /tmp/argus.label.out -s +label -c,
>>
>> Play with it for a while to see what each program does, and see what the
>> fields do.
>> Then, you can quickly move to printing out many fields etc.....
>>
>> Carter
>>
>>
>> On Jun 12, 2013, at 2:08 AM, Rahimeh Khodadadi <
>> rahimeh.khodadadi at gmail.com> wrote:
>>
>> Hi Carter,
>>
>> Thanks for your quick reply.I follow your advices, but when I open file
>> to read, it is not clear by UTF-8, I attached the file.my command is:
>>
>>   rabins  -M time 5m  -B 10s -m proto sport dport saddr daddr -r
>> /usr/argus/data/argus.out -w argus.csv
>>
>> and If I use command as below, it does works, note that I changed  "ARGUS_FLOW_STATUS_INTERVAL=300",
>> but the features of output file are replicated, I attached it to mail
>> too:
>>
>> racluster  -T 300 -B 10 -p 3 -u -Z b -W -| /usr/local/bin/ralabel -r
>> /usr/argus/data/argus.out - -f /usr/local/argus/ralabel.conf -c "," -M
>> dsrs=+metric,+agr,+psize,+cocode -n -p 3 -u -Z b -s
>> "+ltime,+stime,+trans,+dur,+mean,+sco,+dco,+pkts,+spkts,+dpkts,+bytes" >
>> racluster.csv
>>
>> Please help!!!
>>
>> Thanks in advance,
>> Rahimeh
>>
>>  <racluster.csv><argus.csv>
>>
>>
>>
>
>
> --
> With Best Regards
> Rahimeh Khodadadi
>
>

-- 
With Best Regards
Rahimeh Khodadadi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130613/bdbb3924/attachment.html>