Argus conversion v2 to v3?

Carter Bullard carter at qosient.com
Tue Jun 25 12:59:56 EDT 2013 

Hmmmm,
The first line has to contain the column labels. Thats how we know how to decode the fields.
Without those explicit labels, raconvert() will use its own default list of fields.
You can fix that by declaring what the fields are suppose to be on the command line.

   $ ./3.0.6/bin/raconvert -r argus.ascii -s stime dur flgs proto saddr sport dir daddr dport spkts dpkts sbytes dbytes status

To get the label into your 2.x argus output, add this to the /tmp/rarc file:

RA_PRINT_LABELS=0

Carter 


On Jun 25, 2013, at 12:52 PM, unFrigidaire Américain <frigidaire.americain at gmail.com> wrote:

>> Set variables in a rarc file to print your fields and to generate csv files.
>> ../..
>> Then this should work.
>> 
>>>  $ ./2.0.6/bin/ra -F /tmp/rarc -unnr argus.log > argus.ascii
>>>  $ ./3.0.6/bin/raconvert -r argus.ascii
> 
> raconvert's output does not look good :(
> 
>         StartTime      Flgs  Proto            SrcAddr  Sport   Dir
>        DstAddr  Dport  TotPkts   TotBytes State
>   00:36:48.000000
>   02:19:19.000048
>   02:19:19.000048
>   02:19:19.000048
>   02:19:19.000048
>   02:19:19.000048
>   02:19:19.000048
>   02:19:19.000048
>   02:19:19.000048
>   02:19:19.000048
>   02:19:19.000048
>   02:19:19.000048
>   02:19:19.000048
>   02:19:19.000048
>   02:19:19.000048
>   02:19:19.000048
>   02:19:19.000048
>   ...
> 
> Even if the CSV export seems ok :
> 
> 1021395279.325940,0.031880,,man,1.0.1.1,v2.0,1,0,0,0,0,0,STA
> 1021395279.325940,0.031880,,man,1.0.1.1,v2.0,1,0,0,0,0,0,STA
> 1021395282.852700,32.054123,,17,1.0.1.1,44682,<->,1.0.2.1,123,2,2,180,180,CON
> 1021395279.435266,36.667449,,3452,0:15:2c:6e:b0:0,,<->,0:e0:f4:1b:b8:51,,183,114,20010,35332,CON
> 1021395287.682149,19.992290,,3686,0:1f:6d:17:b8:16,,->,0:1f:6d:17:b8:16,,3,0,180,0,INT
> 1021395280.604140,3.638318,,6,1.0.3.1,31537,->,1.0.1.1,443,22,20,2162,10140,RST
> 1021395288.440882,0.000000,,2054,1.0.1.2,,who-has,1.0.1.3,,1,0,60,0,INT
> 1021395299.349734,7.250045,,6,100.0.1.1,26430,->,1.0.1.1,80,50,49,7114,25639,CON
> 1021395292.904599,0.000000,,2054,1.0.1.2,,who-has,1.0.1.4,,1,0,60,0,INT
> 1021395285.320668,30.388476,,17,1.0.1.5,23075,->,224.0.1.1,55928,6,0,2019,0,CON
> 1021395280.615129,20.991186,,2054,1.0.1.2,,who-has,1.0.1.6,,3,0,180,0,INT
> 1021395305.525826,0.000000,,1,197.0.1.1,,->,1.0.1.1,,1,0,98,0,ECO
> 1021395280.652920,33.265715,,2054,1.0.1.2,,who-has,1.0.1.7,,5,0,300,0,INT
> 1021395310.903531,0.000337,,17,1.0.1.1,24130,<->,1.0.4.1,123,1,1,90,90,CON
> 1021395304.872697,0.026107,,17,1.0.1.1,30021,<->,1.0.5.1,123,1,1,90,90,CON
> 1021395280.229707,34.069973,,0,0:1f:6d:17:b8:16,0x42,->,1:80:c2:0:0:0,0x42,18,0,1080,0,INT
> 1021395280.380382,30.556078,,2054,1.0.1.2,,who-has,1.0.1.8,,6,0,360,0,INT
> 1021395290.867798,9.068694,,2054,1.0.1.2,,who-has,1.0.1.9,,2,0,120,0,INT
> 1021395280.308278,30.138182,,2054,1.0.1.2,,who-has,1.0.1.10,,6,0,360,0,INT
> 1021395308.736875,0.000000,,17,1.0.1.11,44893,->,224.0.0.2,60808,1,0,426,0,CON
> 1021395297.624495,7.133521,,2054,1.0.1.2,,who-has,1.0.1.12,,2,0,120,0,INT
> 1021395297.718750,1.402578,,6,1.0.6.1,50139,->,1.0.1.1,80,8,9,846,5183,FIN

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130625/160541a5/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130625/160541a5/attachment.bin>

More information about the argus mailing list