How to add a compare field to Argus server??

Carter Bullard carter at qosient.com
Wed Aug 20 15:05:18 EDT 2014 

The differences in reported bytes between argus and the
other tools is that argus reports the wire line packet size,
including L2 headers, tunnels headers, vlan tags, MPLS
labels etc…  For argus the packet size is the actual size of
the packet on the wire.

If you configure argus to report the app bytes size,
you’ll get the transported bytes values, which is also
a good number to look at, which will be different from
what the other tools report, as well.

Time stamps look to be different as well.

No problem.

Carter


On Aug 20, 2014, at 2:45 PM, ptit Lcd <leloiboi1 at gmail.com> wrote:

> Thanks, finally i can do it with ralabel in argus-client 3.0.6.2.
> 
> About the difference, I attached the pcap file i used.
> 
> 1) With softflowd+nfdump, i used these command:
> 
> >  $ nfcapd -p9995 -l ./netflow/
> >  $ softflowd -n 127.0.0.1:9995 -r dump.pcap
> >  $ nfdump -r ./netflow/nfcapd.*
> 
> 
> And this is two first line of output:
> Date flow start          Duration Proto      Src IP Addr:Port          Dst IP Addr:Port   Packets    Bytes Flows
> 2014-07-06 10:43:57.173    64.599 TCP      188.124.5.107:80    ->     192.168.3.35:1032         5     4291     1
> 2014-07-06 10:43:57.173    64.599 TCP       192.168.3.35:1032  ->    188.124.5.107:80           6      406     1
> 
> 2) With argus, i used this argus.conf:
> ARGUS_FLOW_TYPE="Unidirectional"
> ARGUS_FLOW_KEY="CLASSIC_5_TUPLE"
> 
>  with this command:
> >  $ argus -F /home/lcd/Desktop/argus.conf -r ZeusSnort.pcap -mAJZRU 512 -S 50000 -w ZS.arg
> >  $ ra -r ZS.arg -s +dur,sbytes,dbytes
> 
> 
> And this is the 2 first lines of output:
>          StartTime      Flgs  Proto            SrcAddr  Sport   Dir            DstAddr  Dport  TotPkts   TotBytes State        Dur     SrcBytes     DstBytes 
>    16:14:43.701745  e           tcp       192.168.3.35.1032      ->      188.124.5.107.http          6        490   RST  64.599251          490            0
>    16:14:43.870323  e           tcp      188.124.5.107.http      ->       192.168.3.35.1032          5       4361   CON   0.349697         4361            0
> 
> I just want to know what is the cause of this different J
> 
> Thank you very much.
> 
> 
> 
> 
> 
> 
> 2014-08-20 15:25 GMT-03:00 Carter Bullard <carter at qosient.com>:
> That should work fine, and does on all systems here,
> using your configuration file and label definition.
> 
> You don’t have to pipe the output to see the label:
>    % ralabel -f /home/lcd/Desktop/ralabel.conf -r ZN1.arg -s stime label:32
> 
> So does ZN1.arg exist ??  What is the output of 
>    % ra -r ZN1.arg
> 
> Make sure you don’t have a .rarc that is specifying inputs.
> That generates problems for people starting out.
> 
> Don’t know why we would report different values than other
> flow sensors.  We’ve been doing this a while, so I think
> our numbers are OK.
> 
> You’ll have to send examples of the problem.
> Carter
> 
> 
> On Aug 20, 2014, at 1:43 PM, ptit Lcd <leloiboi1 at gmail.com> wrote:
> 
>> Dear Carter,
>> 
>> I tried to use ralabel with argus-client 3.0.8, this is the ralabel.conf file:
>> RALABEL_ARGUS_FLOW=yes
>> RALABEL_ARGUS_FLOW_FILE=/home/lcd/Desktop/2.txt
>> 
>> This is 2.txt:
>> filter=“bytes lt 1000" label=“1”
>> 
>> but when i run ralabel, nothing happen, it couldn't finish, no output:
>> 
>> > $ ralabel -f /home/lcd/Desktop/ralabel.conf -r ZN1.arg -w - | ra -s +label:32
>> 
>> 
>> Did i do anything wrong?
>> 
>> And i have another question, when i run Argus with unidirectional options, it created flows with number of bytes a bit different than flows created by Softflowd+nfdump. Can you please explain it?
>> 
>> Thank you very much,
>> 
>> 
>> 2014-08-20 9:39 GMT-03:00 ptit Lcd <leloiboi1 at gmail.com>:
>> Dear Carter,
>> 
>> Thank you very much. I'll tell you when i found something need to implement.
>> But now i'm finding this field: average packet size (byte per packet) in a flow, it isn't existed?
>> 
>> Thanks,
>> 
>> 
>> 2014-08-20 8:48 GMT-03:00 Carter Bullard <carter at qosient.com>:
>> 
>> Hey Duc Le,
>> Well, if you find a need for something that we don’t have,
>> we’d probably like to implement it.  There are a number of
>> metrics that we are going to do in the next version, so if you
>> have some you need, send them on.
>> 
>> Just a few notes on argus metadata, aka labels.
>> 
>> There is a tutorial on argus metadata in the publications
>> section on the argus web page.  Look at the Presentations
>> section, its the first one.
>>  
>> You filter on filters using regular expressions with the “-e regex”
>> option.
>> 
>> Give it a try and if you have problems, send email !!!
>> 
>> Carter
>> 
>> On Aug 19, 2014, at 6:59 PM, ptit Lcd <leloiboi1 at gmail.com> wrote:
>> 
>>> Thanks Carter,
>>> 
>>> I'm working with some flow informations already appeared in ra filters, so i'll try ralabel and filter.
>>> 
>>> But i'm not sure that's all. If i need to compare a new field (calculated from existed fields) with a threshold, i need to modify argus source, right? Currently i'm not sure what is the field, i need some experiment on the files to make decision.
>>> 
>>> Thank you very much!
>>> 
>>> 
>>> 2014-08-19 18:35 GMT-03:00 Carter Bullard <carter at qosient.com>:
>>> Hey Duc Le,
>>> If they are specific packet dynamics thresholds then you’ll
>>> have to hack up argus to do it.  If you want me to do it,
>>> describe what it is, and we’ll look to put it in argus-3.0.10.
>>> 
>>> If on the other hand its thresholds that we have filters for,
>>> you could implement it using ralabel.1 using a ralabel.conf file.
>>> This is of course using the newer argus-clients-3.0.8 code base:
>>>    http://qosient.com/argus/dev/argus-clients-latest.tar.gz
>>> 
>>> Get the sample ralabel.conf file.  You will want to use the
>>> RALABEL_ARGUS_FLOW filtering system, where you use fall through
>>> argus filter strategies to specify a label for your argus data.
>>> 
>>> RALABEL_ARGUS_FLOW=yes
>>> RALABEL_ARGUS_FLOW_FILE=/path/to/your/argus.flow.label.txt
>>> 
>>> 
>>> —— /path/to/your/argus.flow.label.txt ——
>>> 
>>> filter=“rate gt 1000”  label=“rate greater than 1000 packets per second”
>>> filter=“src co LI”     label=“from the good people in Liechtenstein"
>>> 
>>> 
>>> These end up embedded in the flow records as “ label “, which is
>>> where we store the argus metadata tags.
>>> Print them out later using ra …
>>> 
>>>    ra -r file -s +label:32
>>> 
>>> 
>>> Does that get close ???
>>> 
>>> Carter
>>> 
>>> 
>>> 
>>> On Aug 19, 2014, at 3:29 PM, ptit Lcd <leloiboi1 at gmail.com> wrote:
>>> 
>>>> Hi all,
>>>> 
>>>> I'm working with some network traffic capture files and i have to compare some features with defined threshold, for example bitperpacket vs 100, then export the result to argus binary file (with a model like ssh keystroke detection, which was already integrated to argus server). So where should i start??
>>>> 
>>>> Thanks,
>>>> Duc Le
>>> 
>>> 
>> 
>> 
>> 
> 
> 
> <ZeusSnort.pcap>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140820/5293850e/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140820/5293850e/attachment.sig>

More information about the argus mailing list