Time window issue

Rahimeh Khodadadi rahimeh.khodadadi at gmail.com
Thu Jun 13 13:41:18 EDT 2013 

Thanks Carter for your reply.


On Thu, Jun 13, 2013 at 8:29 PM, Carter Bullard <carter at qosient.com> wrote:

> Hey Rahimeh,
> You are interested in classifying flows based on transaction duration?
>
> Labels are not needed, but to label flows based on transaction duration
> using radium() or ralabel(), use this type of label configuration.
> Assuming that your argus will be using ARGUS_FAR_STATUS_INTERVAL=300,
>
> ralabel -r data -f /path/to/ralabel.conf -s +label
>
>
> /path/to/ralabel.conf
>
> RALABEL_ARGUS_FLOW=yes
> RALABEL_ARGUS_FLOW_FILE="/path/to/duration.classifier.labels"
>
>
> /path/to/duration.classifier.labels
>
> filter="dur lt 1"               label="Fast"
> filter="dur gte   1 and lt   5" label="notSoFast"
> filter="dur gte   5 and lt  10" label="notNearlyAsFast"
> filter="dur gte  10 and lt  30" label="notFastAtAll"
> filter="dur gte  30 and lt  60" label="Slow"
> filter="dur gte  60 and lt 120" label="Slower"
> filter="dur gte 120 and lt 300" label="Slowest"
>
> The label will be in the form of "flow=value".  You may need to have lots
> of different types of labels…  ARP, for instance is not fast unless its
> less than 0.000050 (50 microSecs).  So something like this can work:
>
> filter="arp and dur lt 0.000050" label="Fast"
> filter="tcp and dur lt 0.75"     label="Fast"
> .
> .
> .
>
> If you want to analyze your data for transaction duration, use rahisto()
>
>    rahisto -H dur 20:0-300 -r data
>
> That will give you the frequency distribution of the duration
> times of your flow records.
>
> You can use filters on any of these commands to pick the traffic of
> interest, like " arp ", or " tcp " or " dst net 1.2.3.0/24 " can be
> useful.
>
> Carter
>
>
>
> On Jun 13, 2013, at 11:29 AM, Rahimeh Khodadadi <
> rahimeh.khodadadi at gmail.com> wrote:
>
> Hi carter,
>
> I want to classify my data with time window, but in output of racluster or
> rabines for every time label is one IPaddress.
> My means is that some IPaddress with all features that their arrival times
> within 1-5 be grouped in one cluster, and another group IPaddresses that
> their stimes are in 5-10s be second cluster.
>
>
> On Thu, Jun 13, 2013 at 7:52 PM, Carter Bullard <carter at qosient.com>wrote:
>
>> Hey Rahimeh,
>> Sorry that english makes this difficult.
>>
>> What label do you want to use ?
>> What do you want the output to look like?
>>
>> Carter
>>
>>
>> On Jun 13, 2013, at 11:14 AM, Rahimeh Khodadadi <
>> rahimeh.khodadadi at gmail.com> wrote:
>>
>> Thanks Carter, my goal of using racluster, rabins to read my data, then
>> classify by time window with 5m.
>> But in these output files I didn't this feature, which ipdaress with all
>> feature like port dur ,.... be grouped in a label. for example all ip
>> adress that their times within 1-5 be grouped in a label.  I want create a
>> flow of traffic. Is there any other work to do?
>>
>> Thanks
>>
>>
>> On Wed, Jun 12, 2013 at 5:02 PM, Rahimeh Khodadadi <
>> rahimeh.khodadadi at gmail.com> wrote:
>>
>>> Thanks Carter, my goal of using racluster, rabins to read my data, then
>>> classify by time window with 5m.
>>> But in these output files I didn't this feature, which ipdaress with all
>>> feature like port dur ,.... be grouped in a label. for example all ip
>>> adress that their times within 1-5 be grouped in a label.  I want create a
>>> flow of traffic. Is there any other work to do?
>>>
>>> Thanks
>>>
>>>
>>> On Wed, Jun 12, 2013 at 4:36 PM, Carter Bullard <carter at qosient.com>wrote:
>>>
>>>> The " -w file " writes a binary file that can be read by the argus
>>>> client programs.
>>>>
>>>>    ra -r argus.csv
>>>>
>>>> When rabins() reads records from a file, you don't need the "-B 10s"
>>>> option.
>>>> The " -m proto sport dport saddr daddr " is the default, so this is not
>>>> needed.
>>>>
>>>> Your second example has many many errors.
>>>> For racluster() there are no " -T "," -B ", or " -W " options.
>>>> Your ralabel() command is reading from a file, so the racluster() isn't
>>>> doing anything.
>>>> Using " + " in the "-M dsrs=" option doesn't do anything, and your " -s
>>>> fields " option
>>>> you probably don't want the +'s.  You insert a label with ralabel(),
>>>> but you don't print it?
>>>> Why not try something simple first and then build up?
>>>>
>>>>    ra -r /usr/argus/data/argus.out
>>>>    ra -r /usr/argus/data/argus.out -w - | ra
>>>>
>>>>    racluster -r /usr/argus/data/argus.out
>>>>    racluster -r /usr/argus/data/argus.out -w - | ra -s +sco +dco -c ,
>>>>
>>>> This will let you see how the pipes work with binary data.
>>>>
>>>> Use some temporary files to make it manageable at first....
>>>>
>>>>    ralabel -r /usr/argus/data/argus.out -f
>>>> /usr/local/argus/ralabel.conf  -w /tmp/argus.label.out
>>>>
>>>>    ra -r /tmp/argus.label.out -s stime dur saddr sport dir daddr dport
>>>> pkts label
>>>>
>>>> Try something like this
>>>>    racluster -r /tmp/argus.label.out -m sco dco -s stime dur sco dir
>>>> dco pkts bytes
>>>>    racluster -r /tmp/argus.label.out -m matrix/24 -s stime dur saddr
>>>> dir daddr trans pkts bytes
>>>>
>>>> So you can see how racluster() works.
>>>> If you want a csv,
>>>>
>>>>    ra -r /tmp/argus.label.out -s +label -c,
>>>>
>>>> Play with it for a while to see what each program does, and see what
>>>> the fields do.
>>>> Then, you can quickly move to printing out many fields etc.....
>>>>
>>>> Carter
>>>>
>>>>
>>>> On Jun 12, 2013, at 2:08 AM, Rahimeh Khodadadi <
>>>> rahimeh.khodadadi at gmail.com> wrote:
>>>>
>>>> Hi Carter,
>>>>
>>>> Thanks for your quick reply.I follow your advices, but when I open
>>>> file to read, it is not clear by UTF-8, I attached the file.my command
>>>> is:
>>>>
>>>>   rabins  -M time 5m  -B 10s -m proto sport dport saddr daddr -r
>>>> /usr/argus/data/argus.out -w argus.csv
>>>>
>>>> and If I use command as below, it does works, note that I changed  "ARGUS_FLOW_STATUS_INTERVAL=300",
>>>> but the features of output file are replicated, I attached it to mail
>>>> too:
>>>>
>>>> racluster  -T 300 -B 10 -p 3 -u -Z b -W -| /usr/local/bin/ralabel -r
>>>> /usr/argus/data/argus.out - -f /usr/local/argus/ralabel.conf -c "," -M
>>>> dsrs=+metric,+agr,+psize,+cocode -n -p 3 -u -Z b -s
>>>> "+ltime,+stime,+trans,+dur,+mean,+sco,+dco,+pkts,+spkts,+dpkts,+bytes" >
>>>> racluster.csv
>>>>
>>>> Please help!!!
>>>>
>>>> Thanks in advance,
>>>> Rahimeh
>>>>
>>>>  <racluster.csv><argus.csv>
>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> With Best Regards
>>> Rahimeh Khodadadi
>>>
>>>
>>
>>
>> --
>> With Best Regards
>> Rahimeh Khodadadi
>>
>>
>>
>
>
> --
> With Best Regards
> Rahimeh Khodadadi
>
>
>


-- 
With Best Regards
Rahimeh Khodadadi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130613/87aeabcb/attachment.html>

More information about the argus mailing list