What does 0.0.0.0 mean
Jesper Skou Jensen
jesper.skou.jensen at uni-c.dk
Fri Aug 29 08:50:05 EDT 2014
On 29-08-2014 14:38, Monah Baki wrote:
> Hello,
>
>
> I’m running argus 3.0.8 with the following command:
>
> racluster -r argus.out -m saddr sport -s saddr sport daddr dport
> sbytes | grep 0.0.0.0
>
> 8.18.45.80.https 0.0.0.0 4219
[CUT]
> What does the 0.0.0.0 mean?
It is what you told racluster to do. With the "-m saddr sport" option
you told it to aggregate (merge) the rest.
A made up example could be:
saddr, sport,daddr,dport,sbytes
1.2.3.4,80,5.6.7.8,80,1
1.2.3.4,80,5.6.7.8,81,1
1.2.3.4,80,5.6.7.8,82,1
1.2.3.4,80,5.6.7.8,83,1
1.2.3.4,8888,5.6.7.8,8000,100
1.2.3.4,8888,5.6.7.8,8100,100
1.2.3.4,8888,5.6.7.8,8200,100
1.2.3.4,8888,5.6.7.8,8300,100
Will get aggregated to
saddr, sport,daddr,dport,sbytes
1.2.3.4,80,0.0.0.0,4
1.2.3.4,8888,0.0.0.0,400
I hope that explains it, if not let us know.
Regards
Jesper Skou Jensen
More information about the argus
mailing list