Question about Filtering Argus Data
Carter Bullard
carter at qosient.com
Thu Jun 12 23:09:49 EDT 2014
Hey Chungen Li,
The filter “ bytes gt 10 “ , like all metrics, is decomposed to “ src bytes gt 10 or dst bytes gt 10”.
You should print the sbytes and dbytes fields to see that their values are either in or out of
the filter range.
If your filter is not working, what version of argus-clients are you running ???
The best version to use, currently, is argus-clients-3.0.7.34, which is about
to be released as argus-clients-3.0.8. You can get the latest version here.
http://qosient.com/argus/dev/argus-clients-latest.tar.gz
When you connect to a remote argus data source, your client sends its filter to the remote
data server where the filtering takes place. As a result, filter failure may be at the argus data
source. argus and argus-clients are designed to detect when there are filter problems
locally or remotely, but it is still a good exercise to check the logs of the remote
argus data source, to see if it reports filter issues.
Be sure and upgrade to the latest code, and if you are still having problems,
send more email.
Carter
On Jun 12, 2014, at 10:11 PM, Chungen Li <jiafei427 at gmail.com> wrote:
> Hello,
>
> Now I'm developing a system using the ARGUS Framework and I got trouble when I try to use the filtering option in the RA (Argus Client).
>
> Following are some results from RA.
>
> $ ../../argus/argus-clients-3.0.6.2/bin/ra -S 127.0.0.1:3434
> StartTime Flgs Proto SrcAddr Sport Dir DstAddr Dport TotPkts TotBytes State
> 11:01:56.368794 * tcp 147.46.112.192.ici -> 173.194.72.84.https 1 59 CON
> 11:01:56.369780 * s tcp 147.46.208.185.57788 -> 61.239.168.101.16057 6 440 FIN
> 11:01:56.370350 * tcp 210.98.16.36.15890 -> 173.194.127.133.https 1 59 CON
> 11:01:56.370355 * tcp 163.152.69.238.hpvro* -> 203.84.208.52.https 1 59 CON
> 11:01:56.370415 * tcp 223.195.2.196.59281 -> 173.194.127.73.http 6 593 CON
> 11:01:56.370575 * tcp 210.98.50.5.46496 -> 173.194.127.85.https 5 2511 CON
> 11:01:56.370666 * tcp 163.152.34.179.54862 -> 74.125.128.139.https 1 59 CON
> 11:01:56.370982 * tcp 147.46.188.242.49245 -> 74.125.204.188.hpvro* 1 59 CON
> 11:01:56.371008 * udp 147.46.81.23.33782 -> 219.79.58.17.osmos* 3 267 REQ
> 11:01:56.371503 * tcp 117.16.196.145.40337 -> 173.194.38.70.http 3 1619 CON
> 11:01:56.372168 * tcp 147.46.39.53.qsm-p* -> 199.59.148.139.https 4 232 CON
> 11:01:56.372620 * udp 203.241.84.210.48613 -> 216.239.32.10.domain 1 93 INT
> 11:01:56.373037 * tcp 163.152.105.227.43465 -> 74.125.203.95.http 1 70 CON
> 11:01:56.373097 * tcp 164.125.174.109.5194 -> 74.125.128.101.https 9 1312 CON
> 11:01:56.374016 * tcp 203.247.182.211.35832 -> 173.194.38.71.https 1 59 CON
>
> Here I just want the Argus record with the packet-bytes greater than 100, So I set the filtering option at the end of the command like this
>
> $ ../../argus/argus-clients-3.0.6.2/bin/ra -S 127.0.0.1:3434 - bytes gt 10
>
> But this never returns me any results, and I don't know why.
>
> Plz tell me where did I get wrong with that filtering option.
>
> Thanks.
>
>
> Chungen, Li
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140612/e8b6b35b/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140612/e8b6b35b/attachment.bin>
More information about the argus
mailing list