Question about Filtering Argus Data

Chungen Li jiafei427 at gmail.com
Fri Jun 13 00:29:15 EDT 2014


Hi, Dear Carter,

I just downloaded the latest version from your link which is
argus-client-3.0.7.34 and I think the problems are not solved.

First, I just added sbytes and dbytes to check whether there are argus-data
that fits the condition "bytes gt 100"

Following are the result from ra:

$ ra -s +sbytes +dbytes -S 127.0.0.1:3434
         StartTime      Flgs  Proto            SrcAddr  Sport   Dir
   DstAddr  Dport  TotPkts   TotBytes State     SrcBytes     DstBytes
   13:10:01.726715  *           udp       147.46.66.83.26283     ->
 203.218.216.240.27754         2        152   INT          152            0
   13:10:01.726943  *           tcp     164.125.53.178.sais      ->
 74.125.128.94.http          4       1275   CON         1275            0
   13:10:01.726981  *           tcp     203.250.10.234.54653     ->
 173.194.127.230.http          1         58   CON           58            0
   13:10:01.727066  *           udp      143.248.30.28.20576     ->
 223.205.207.168.16471         1         66   REQ           66            0
   13:10:01.727144  *           udp     203.253.206.11.6881      ->
 183.179.233.176.9043          1        368   REQ          368            0
   13:10:01.727443  *           udp     210.119.13.116.52472     ->
171.6.102.51.24302         2        132   REQ          132            0
   13:10:01.727603  *           tcp     164.125.53.178.infor*    ->
 74.125.128.94.http          5       1158   CON         1158            0
   13:10:01.727619  *           tcp      147.47.241.31.63705     ?>
 173.194.117.217.http          1         58   CON           58            0
   13:10:01.727730  *           tcp       147.46.17.88.iee-q*    ->
173.194.72.125.xmpp-*        1         59   CON           59            0
   13:10:01.727882  *           tcp       147.46.6.168.58296     ->
 173.194.117.193.https         2        140   RST          140            0
   13:10:01.727984  *           tcp     164.125.53.178.mloadd    ->
 74.125.128.94.http          5       1613   CON         1613            0
   13:10:01.728311  *           tcp    164.125.129.188.57351     ->
74.125.128.136.https        13       1910   CON         1910            0
   13:10:01.728810  *           tcp      143.248.60.99.49702     ->
74.125.128.157.http          2        128   CON          128            0
   13:10:01.728838  *           udp       203.250.1.11.51731     ->
 192.221.77.23.domain        1        105   INT          105            0
   13:10:01.728919  *           tcp       163.152.3.57.27812     ->
 173.194.117.250.http         13       2110   FIN         2110            0

As you can see there are many of them that SrcBytes greater than 100.

So I ran the following command,

$ ra -s +sbytes +dbytes -S 127.0.0.1:3434 - src bytes gt 100

And it just stuck there without any result.

So I checked the argus server side to see the log, and it came up with
nothing.

But, here's the weirdest thing.

When I use the option "bytes lt 100" it just works like a charm.

Here are some result from the command:

$ ra -s +sbytes +dbytes -S 127.0.0.1:3434 - src bytes lt 100
         StartTime      Flgs  Proto            SrcAddr  Sport   Dir
   DstAddr  Dport  TotPkts   TotBytes State     SrcBytes     DstBytes
   13:26:43.539575  *           tcp     210.107.236.96.6901      ->
 173.194.127.129.https         1         59   CON           59            0
   13:26:43.539988  *           tcp     164.125.150.36.50026     ->
 74.125.128.19.https         1         58   CON           58            0
   13:26:43.540055  *           tcp      147.46.238.80.63363     ->
 74.125.128.17.https         1         58   CON           58            0
   13:26:43.540231  *           tcp    164.125.141.132.icpv2     ->
74.125.128.113.https         1         59   CON           59            0
   13:26:43.541930  *           tcp     143.248.53.100.53629     ->
74.125.128.148.http          1         59   CON           59            0
   13:26:43.542199  *           tcp     143.248.15.107.60584     ->
 74.125.31.104.https         1         59   CON           59            0
   13:26:43.543277  *           tcp     210.218.201.19.58711     ->
 173.194.127.188.http          1         59   CON           59            0
   13:26:43.543386  *           tcp      147.46.131.85.56737     ->
 173.194.117.199.http          1         59   CON           59            0
   13:26:43.543612  *           tcp    210.125.122.102.51756     ?>
 173.194.126.168.https         1         58   FIN           58            0
   13:26:43.543727  *           tcp    210.125.122.102.51755     ?>
 173.194.126.168.https         1         58   FIN           58            0
   13:26:43.544334  *           tcp       147.46.60.47.icp       ->
 74.125.203.94.https         1         59   CON           59            0
   13:26:43.544637  *           udp      147.46.61.186.62348     ->
42.3.104.118.ansof*        1         66   REQ           66            0
   13:26:43.544638  *           tcp     168.188.15.212.53359     ?>
74.125.235.150.https         1         58   RST           58            0
   13:26:43.544851  *          icmp     150.183.95.135.0x0008    ->
130.126.57.173.0x0db0        1         62   ECO           62            0
   13:26:43.545332  *           tcp    143.248.150.125.50392     ->
 74.125.31.125.xmpp-*        1         58   CON           58            0
   13:26:43.545535  *           udp     155.230.24.235.menta*    ->
 74.125.23.127.19302         1         66   REQ           66            0
   13:26:43.545731  *           tcp       14.44.126.17.60481     ?>
74.125.31.95.https         1         58   CON           58            0
   13:26:43.547221  *           tcp     203.237.41.198.56537     ->
74.125.128.113.https         1         59   CON           59            0
   13:26:43.547258  *           udp       134.75.151.8.domain    ->
74.125.186.215.33670         1         95   INT           95            0
   13:26:43.547381  *           tcp      209.85.215.36.61758     ->
155.230.11.8.pop3        218     276543   FIN            0       276543


What can I do for the next?

Thanks for your help.




On Fri, Jun 13, 2014 at 12:09 PM, Carter Bullard <carter at qosient.com> wrote:

> Hey Chungen Li,
> The filter “ bytes gt 10 “ , like all metrics, is decomposed to “ src
> bytes gt 10 or dst bytes gt 10”.
> You should print the sbytes and dbytes fields to see that their values are
> either in or out of
> the filter range.
>
> If your filter is not working, what version of argus-clients are you
> running ???
> The best version to use, currently, is argus-clients-3.0.7.34, which is
> about
> to be released as argus-clients-3.0.8.   You can get the latest version
> here.
>
>    http://qosient.com/argus/dev/argus-clients-latest.tar.gz
>
> When you connect to a remote argus data source, your client sends its
> filter to the remote
> data server where the filtering takes place.  As a result, filter failure
> may be at the argus data
> source.  argus and argus-clients are designed to detect when there are
> filter problems
> locally or remotely, but it is still a good exercise to check the logs of
> the remote
> argus data source, to see if it reports filter issues.
>
> Be sure and upgrade to the latest code, and if you are still having
> problems,
> send more email.
>
>
> Carter
>
> On Jun 12, 2014, at 10:11 PM, Chungen Li <jiafei427 at gmail.com> wrote:
>
> Hello,
>
> Now I'm developing a system using the ARGUS Framework and I got trouble
> when I try to use the filtering option in the RA (Argus Client).
>
> Following are some results from RA.
>
> $ ../../argus/argus-clients-3.0.6.2/bin/ra -S 127.0.0.1:3434
>          StartTime      Flgs  Proto            SrcAddr  Sport   Dir
>      DstAddr  Dport  TotPkts   TotBytes State
>    11:01:56.368794  *           tcp     147.46.112.192.ici       ->
>  173.194.72.84.https         1         59   CON
>    11:01:56.369780  * s         tcp     147.46.208.185.57788     ->
> 61.239.168.101.16057         6        440   FIN
>    11:01:56.370350  *           tcp       210.98.16.36.15890     ->
>  173.194.127.133.https         1         59   CON
>    11:01:56.370355  *           tcp     163.152.69.238.hpvro*    ->
> 203.84.208.52.https         1         59   CON
>    11:01:56.370415  *           tcp      223.195.2.196.59281     ->
> 173.194.127.73.http          6        593   CON
>    11:01:56.370575  *           tcp        210.98.50.5.46496     ->
> 173.194.127.85.https         5       2511   CON
>    11:01:56.370666  *           tcp     163.152.34.179.54862     ->
> 74.125.128.139.https         1         59   CON
>    11:01:56.370982  *           tcp     147.46.188.242.49245     ->
> 74.125.204.188.hpvro*        1         59   CON
>    11:01:56.371008  *           udp       147.46.81.23.33782     ->
> 219.79.58.17.osmos*        3        267   REQ
>    11:01:56.371503  *           tcp     117.16.196.145.40337     ->
>  173.194.38.70.http          3       1619   CON
>    11:01:56.372168  *           tcp       147.46.39.53.qsm-p*    ->
> 199.59.148.139.https         4        232   CON
>    11:01:56.372620  *           udp     203.241.84.210.48613     ->
>  216.239.32.10.domain        1         93   INT
>    11:01:56.373037  *           tcp    163.152.105.227.43465     ->
>  74.125.203.95.http          1         70   CON
>    11:01:56.373097  *           tcp    164.125.174.109.5194      ->
> 74.125.128.101.https         9       1312   CON
>    11:01:56.374016  *           tcp    203.247.182.211.35832     ->
>  173.194.38.71.https         1         59   CON
>
> Here I just want the Argus record with the packet-bytes greater than 100,
> So I set the filtering option at the end of the command like this
>
> $ ../../argus/argus-clients-3.0.6.2/bin/ra -S 127.0.0.1:3434 - bytes gt 10
>
> But this never returns me any results, and I don't know why.
>
> Plz tell me where did I get wrong with that filtering option.
>
> Thanks.
>
>
> Chungen, Li
>
>
>


-- 

*Best RegardsLi ChunGen, 李 春根, 리 춘근Department of Computer Science, POSTECH
      PIRL 323
  Mobile  : +82-10-7522-5977   San 31, Hyoja-dong, Nam-gu
          Email   :  jiafei427 at postech.ac.kr
<khaqanshati at postech.ac.kr>Pohang 790-784, Republic of Korea*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140613/7f0e3919/attachment.html>


More information about the argus mailing list