Time window issue

Rahimeh Khodadadi rahimeh.khodadadi at gmail.com
Thu Jun 13 11:29:42 EDT 2013 

Hi carter,

I want to classify my data with time window, but in output of racluster or
rabines for every time label is one IPaddress.
My means is that some IPaddress with all features that their arrival times
within 1-5 be grouped in one cluster, and another group IPaddresses that
their stimes are in 5-10s be second cluster.


On Thu, Jun 13, 2013 at 7:52 PM, Carter Bullard <carter at qosient.com> wrote:

> Hey Rahimeh,
> Sorry that english makes this difficult.
>
> What label do you want to use ?
> What do you want the output to look like?
>
> Carter
>
>
> On Jun 13, 2013, at 11:14 AM, Rahimeh Khodadadi <
> rahimeh.khodadadi at gmail.com> wrote:
>
> Thanks Carter, my goal of using racluster, rabins to read my data, then
> classify by time window with 5m.
> But in these output files I didn't this feature, which ipdaress with all
> feature like port dur ,.... be grouped in a label. for example all ip
> adress that their times within 1-5 be grouped in a label.  I want create a
> flow of traffic. Is there any other work to do?
>
> Thanks
>
>
> On Wed, Jun 12, 2013 at 5:02 PM, Rahimeh Khodadadi <
> rahimeh.khodadadi at gmail.com> wrote:
>
>> Thanks Carter, my goal of using racluster, rabins to read my data, then
>> classify by time window with 5m.
>> But in these output files I didn't this feature, which ipdaress with all
>> feature like port dur ,.... be grouped in a label. for example all ip
>> adress that their times within 1-5 be grouped in a label.  I want create a
>> flow of traffic. Is there any other work to do?
>>
>> Thanks
>>
>>
>> On Wed, Jun 12, 2013 at 4:36 PM, Carter Bullard <carter at qosient.com>wrote:
>>
>>> The " -w file " writes a binary file that can be read by the argus
>>> client programs.
>>>
>>>    ra -r argus.csv
>>>
>>> When rabins() reads records from a file, you don't need the "-B 10s"
>>> option.
>>> The " -m proto sport dport saddr daddr " is the default, so this is not
>>> needed.
>>>
>>> Your second example has many many errors.
>>> For racluster() there are no " -T "," -B ", or " -W " options.
>>> Your ralabel() command is reading from a file, so the racluster() isn't
>>> doing anything.
>>> Using " + " in the "-M dsrs=" option doesn't do anything, and your " -s
>>> fields " option
>>> you probably don't want the +'s.  You insert a label with ralabel(), but
>>> you don't print it?
>>> Why not try something simple first and then build up?
>>>
>>>    ra -r /usr/argus/data/argus.out
>>>    ra -r /usr/argus/data/argus.out -w - | ra
>>>
>>>    racluster -r /usr/argus/data/argus.out
>>>    racluster -r /usr/argus/data/argus.out -w - | ra -s +sco +dco -c ,
>>>
>>> This will let you see how the pipes work with binary data.
>>>
>>> Use some temporary files to make it manageable at first....
>>>
>>>    ralabel -r /usr/argus/data/argus.out -f /usr/local/argus/ralabel.conf
>>>  -w /tmp/argus.label.out
>>>
>>>    ra -r /tmp/argus.label.out -s stime dur saddr sport dir daddr dport
>>> pkts label
>>>
>>> Try something like this
>>>    racluster -r /tmp/argus.label.out -m sco dco -s stime dur sco dir dco
>>> pkts bytes
>>>    racluster -r /tmp/argus.label.out -m matrix/24 -s stime dur saddr dir
>>> daddr trans pkts bytes
>>>
>>> So you can see how racluster() works.
>>> If you want a csv,
>>>
>>>    ra -r /tmp/argus.label.out -s +label -c,
>>>
>>> Play with it for a while to see what each program does, and see what the
>>> fields do.
>>> Then, you can quickly move to printing out many fields etc.....
>>>
>>> Carter
>>>
>>>
>>> On Jun 12, 2013, at 2:08 AM, Rahimeh Khodadadi <
>>> rahimeh.khodadadi at gmail.com> wrote:
>>>
>>> Hi Carter,
>>>
>>> Thanks for your quick reply.I follow your advices, but when I open file
>>> to read, it is not clear by UTF-8, I attached the file.my command is:
>>>
>>>   rabins  -M time 5m  -B 10s -m proto sport dport saddr daddr -r
>>> /usr/argus/data/argus.out -w argus.csv
>>>
>>> and If I use command as below, it does works, note that I changed  "ARGUS_FLOW_STATUS_INTERVAL=300",
>>> but the features of output file are replicated, I attached it to mail
>>> too:
>>>
>>> racluster  -T 300 -B 10 -p 3 -u -Z b -W -| /usr/local/bin/ralabel -r
>>> /usr/argus/data/argus.out - -f /usr/local/argus/ralabel.conf -c "," -M
>>> dsrs=+metric,+agr,+psize,+cocode -n -p 3 -u -Z b -s
>>> "+ltime,+stime,+trans,+dur,+mean,+sco,+dco,+pkts,+spkts,+dpkts,+bytes" >
>>> racluster.csv
>>>
>>> Please help!!!
>>>
>>> Thanks in advance,
>>> Rahimeh
>>>
>>>  <racluster.csv><argus.csv>
>>>
>>>
>>>
>>
>>
>> --
>> With Best Regards
>> Rahimeh Khodadadi
>>
>>
>
>
> --
> With Best Regards
> Rahimeh Khodadadi
>
>
>


-- 
With Best Regards
Rahimeh Khodadadi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130613/56043a0e/attachment.html>

More information about the argus mailing list