rabins issues in 3.0.7.14

Carter Bullard carter at qosient.com
Tue Sep 3 07:45:49 EDT 2013


Hey Michael,
I wasn't worried about this until I read the manpage, since you can 
pipe rabins() output to rasplit() to get your end result.   The design 
of the program is in the manpage, so I'll put this support in this week.

Carter

On Aug 30, 2013, at 3:04 AM, Michael Sanderson <sanders at cs.ubc.ca> wrote:

> Thanks for the taking a look at the code, Dave.  Looking through the argus-info archive on gmane.org, there is reference to this issue dating back to July 30 2012 (Craig Merchant posted a message with subject "Quick question or two about Argus"), so either the filename expansion was never implemented despite Carter's comments in a 2010 post or things disappeared along the way.
> 
> This isn't a big deal for me right now, as it isn't something I normally use.  I was just trying out some commands that I have't been using in my normal usage of argus, and they didn't work as advertised in the manual pages.
> 
> That said, isn't rabins doing something more like an rasplit and then racluster?  If you cluster early, you risk losing the distribution of packets over time, particularly for long lived flows.
> 
>     Michael Sanderson
> 
> On 2013-08-29, at 7:31 PM, David Edelman <dedelman at iname.com> wrote:
> 
>> I looked at the source for rabins and I don't see where the per bin filename
>> would be created so in Carter's absence, I suggest that you fall back on the
>> fact that rabins is a combination of racluster and rasplit.
>> 
>> I did this and it seemed to work just fine:
>> 
>> racluster  -m matrix/24  -r * -w - - ipv4 | rasplit -M time hard  10m -w
>> "/tmp/archive/%Y/%m/%d/argus.%H.%M.%S"
>> 
>> --Dave
>> 
>> 
>> -----Original Message-----
>> From: argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu
>> [mailto:argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu] On
>> Behalf Of Michael Sanderson
>> Sent: Thursday, August 29, 2013 3:38 PM
>> To: argus-info at lists.andrew.cmu.edu
>> Subject: [ARGUS] rabins issues in 3.0.7.14
>> 
>> The manual page for rabins suggests that it will append strftime() formatted
>> strings to the -w filename when using the time splitmode for -M.  This
>> doesn't appear to be the case in argus-clients 3.0.7.14 and appears to date
>> back to at least 3.0.7.6 .
>> 
>> Using the matrix example in the man page (rabins -r * -M hard time 5m -m
>> matrix -w "/matrix/%Y/%m/%d/argus.%H.%M.%S") adjusted for my paths generates
>> the following:
>> 
>> argus> rabins -r data.*.gz -M hard time 5m -m matrix -w
>> "matrix/%Y/%m/%d/argus.%H.%M.%S"
>> argus> ls -R matrix/
>> matrix/:
>> %Y/
>> 
>> matrix/%Y:
>> %m/
>> 
>> matrix/%Y/%m:
>> %d/
>> 
>> matrix/%Y/%m/%d:
>> argus.%H.%M.%S
>> 
>> 
>> The example 
>> 
>> argus> rabins -S localhost -m matrix/24 -B 5s -M hard time 10s -p0 -s
>> +1trans - ipv4
>> 
>> works great - you can see the 10s aggregation boundaries in its output.  But
>> trying to get it to write to file has the same issue as above.
>> 
>> argus> rabins -S localhost -m matrix -B 5s -M hard time 10s -p0 -w
>> bins.%H.%M.%S - ipv4
>> 
>> argus> ls bins*
>> bins.%H.%M.%S
>> 
>> 
>> Trying the other examples from the man page:
>> 
>> argus> rabins -r data.gz -M size 1m -s +1dur -m proto -w argus.out - ip
>> rabins[17371]: 12:23:19.853115 ArgusClientInit: no bin size specified
>> argus> rabins -r data.gz -M count 1k -m proto -s stime dur proto spkts dpkts
>> - ip
>> rabins[17377]: 12:24:16.421496 ArgusClientInit: no bin size specified
>> 
>> 
>> Using -M count 1000 and -M size 1000000 generate the same error.
>> 
>> Tested on two different versions of 64-bit OpenSuSE with the same results.
>> 
>>    Michael Sanderson
>> 
>> 
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130903/b246a662/attachment.bin>


More information about the argus mailing list