rastream 3.0.7.8, no suser duser

Carter Bullard carter at qosient.com
Tue May 14 12:09:49 EDT 2013 

Hey Matt,
If your radump() is having problems, send me a small file that has the records
that it dumps on, so I can fix it.  Please send the command line options you're
using, so I can replicate the bug.

radump() will try to decode the contents of the user data buffers, like tcpdump()
decodes packet data, so you can figure out what protocols are running on a
give flow.  We support a good number of protocol decodes, but not all of them,
so you maybe pushing an unknown protocol through radump() or you're not
capturing enough data to fully process a specific header type.

Not sure what radump() will do if there isn't user data to decode… It should be
fine……..

Most people will just printout the contents using ra(), which will simply print
the contents out in ascii.  Most are looking for URL's, DNS names, etc…
which are in ascii.

Carter

On May 14, 2013, at 12:00 PM, Matt Brown <matthewbrown at gmail.com> wrote:

> Thanks Dave.
> 
> I found a thread where carter suggested using radump to see suser and
> duser.  I can see some ARP contents, but radump quickly segfaults. Why
> is this?
> 
> I'm guessing rastream saves some amount of these fields by default?
> 
> I can not see these field contents with ra or racluster.  Does this make sense?
> 
> 
> Thanks for the reply,
> 
> Matt
> 
> 
> On May 14, 2013, at 11:51 AM, Dave Edelman <dedelman at iname.com> wrote:
> 
>> You need to tell argus to collect that data with the -U nnn option where nnn
>> is the number of bytes of user data you want to keep for each flow.
>> 
>> --Dave
>> 
>>> -----Original Message-----
>>> From: argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu
>>> [mailto:argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu]
>>> On Behalf Of Matt Brown
>>> Sent: Tuesday, May 14, 2013 10:51 AM
>>> To: argus-info at lists.andrew.cmu.edu
>>> Subject: [ARGUS] rastream 3.0.7.8, no suser duser
>>> 
>>> Hello all/Carter,
>>> 
>>> I am using rastream to write argus data to files.
>>> 
>>> When I query these files using ra or racluster, suser and duser are
>>> not returning any data.
>>> 
>>> I'm guessing it isn't being written by rastream which has been started
>>> as follows:
>>> 
>>> rastream -S 127.0.0.1:561 -B 15s -M time 1h -w
>>> /var/opt/argus/%Y-%m-%d/argus_%T -f /usr/local/bin/rastream.sh
>>> 
>>> How do I use rastream to record N bytes of suser and duser?
>>> 
>>> 
>>> Thanks,
>>> 
>>> Matt
>> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130514/52ef4a0a/attachment.bin>

More information about the argus mailing list