Argus conversion v2 to v3?
unFrigidaire Américain
frigidaire.americain at gmail.com
Tue Jun 25 11:30:42 EDT 2013
Hello Carter,
On Tue, Jun 25, 2013 at 4:58 PM, Carter Bullard <carter at qosient.com> wrote:
>
> So, need to see the file to debug. Can you share the file? If you
> don't want to email it, you can ftp it up to the blind repository
> ftp://qosient.com/incoming. Any file that shows the same behavior
> would be great...
>
Thanks for you help Carter!
I generated an anonymized dump and uploaded it on your FTP server.
> You have a problem with your call to ra() when trying to use raconvert().
> The start time field is "stime". You should provide enough fields
> so raconvert() can generate the start and stop times properly, and generate
> the basic metrics. Be sure and add the "ltime" or "dur", and also provide
> spkts, dpkts, sbytes and dbytes fields, so that we have all the basic
> bi-directional flow metrics. We don't have a pkts or bytes field in
> argus records, we have src and dst packets and bytes.
>
> Also, the argus.ascii output needs to be comma separated.
>
>
> $ ./2.0.6/bin/ra -c, -unns stime dur flgs proto saddr sport dir daddr
> dport \
> state spkts dpkts sbytes dbytes status -r argus.log > argus.ascii
> $ ./3.0.6/bin/raconvert -r argus.ascii
>
> Is that better?
>
Unfortunately, ra 2.x neither supports these field names, nor the -c option.
$ ra --version
Ra Version 2.0.6.fixes.1
...
-s [-][+[#]]field specify fields to print.
fields: startime, lasttime, count, dur, avgdur,
saddr, daddr, proto, sport, dport, ipid,
stos, dtos, sttl, dttl, bytes, sbytes, dbytes,
pkts, spkts, dpkts, load, loss, rate,
srcid, ind, mac, dir, jitter, status, user,
win, trans, seq, vlan, mpls.
...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130625/c96ab689/attachment.html>
More information about the argus
mailing list