Argus conversion v2 to v3?

Carter Bullard carter at qosient.com
Tue Jun 25 12:29:40 EDT 2013 

Hey unFrigidaire Américain,
I could not read the file using argus-clients-2.0.6.fixes.1 ra().
The first record says its from argus-v1.33, is that reasonable?
Can you upload you're original file?

Wow, its been so long since I used v2 !!!!!
Indeed, it is 'startime', and our ltime was 'lasttime'.  All the
other fields are correct.

Set variables in a rarc file to print your fields and to generate csv files.

---- begin /tmp/rarc ----

RA_FIELD_DELIMITER=','
RA_FIELD_SPECIFIER="startime dur ind proto saddr sport dir daddr dport spkts dpkts sbytes dbytes status"

---- end /tmp/rarc ----

Then this should work.

  $ ./2.0.6/bin/ra -F /tmp/rarc -unnr argus.log > argus.ascii
  $ ./3.0.6/bin/raconvert -r argus.ascii
> 



Carter




On Jun 25, 2013, at 11:30 AM, unFrigidaire Américain <frigidaire.americain at gmail.com> wrote:

> 
> Hello Carter,
> 
> On Tue, Jun 25, 2013 at 4:58 PM, Carter Bullard <carter at qosient.com> wrote:
> So, need to see the file to debug.  Can you share the file?  If you
> don't want to email it, you can ftp it up to the blind repository
> ftp://qosient.com/incoming.  Any file that shows the same behavior
> would be great...
> 
> 
> Thanks for you help Carter!
> I generated an anonymized dump and uploaded it on your FTP server.
>  
> You have a problem with your call to ra() when trying to use raconvert().
> The start time field is "stime".   You should provide enough fields
> so raconvert() can generate the start and stop times properly, and generate
> the basic metrics. Be sure and add the "ltime" or "dur", and also provide
> spkts, dpkts, sbytes and dbytes fields, so that we have all the basic
> bi-directional flow metrics.  We don't have a pkts or bytes field in
> argus records, we have src and dst packets and bytes.
> 
> Also, the argus.ascii output needs to be comma separated.
> 
> 
>   $ ./2.0.6/bin/ra -c, -unns stime dur flgs proto saddr sport dir daddr dport \
>      state spkts dpkts sbytes dbytes status -r argus.log > argus.ascii
>   $ ./3.0.6/bin/raconvert -r argus.ascii
> 
> Is that better?
> 
> 
> Unfortunately, ra 2.x neither supports these field names, nor the -c option.
> 
> $ ra --version
> Ra Version 2.0.6.fixes.1
>   ...
>          -s [-][+[#]]field  specify fields to print.
>                    fields:  startime, lasttime, count, dur, avgdur,
>                             saddr, daddr, proto, sport, dport, ipid,
>                             stos, dtos, sttl, dttl, bytes, sbytes, dbytes,
>                             pkts, spkts, dpkts, load, loss, rate,
>                             srcid, ind, mac, dir, jitter, status, user,
>                             win, trans, seq, vlan, mpls.
>   ...
> 
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130625/f97b1597/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130625/f97b1597/attachment.bin>

More information about the argus mailing list