Rastream flow option problem, FreeBSD and OS X?
Carter Bullard
carter at qosient.com
Fri Mar 20 01:00:35 EDT 2015
Hey Pete,
rastream is a special case of rasplit, that supports block processing of stream data.
you aren’t using any of those features, so try using rasplit instead.
rasplit -r ../BPM_test_Cap.arg -M flow ‘icmp and net 10.0.0.0/23’ -w - | ra
When records that match the filter are seen, you should get an ARGUS_MAR_CLOSE
record followed by an ARGUS_MAR_START record, then the record that matches
the flow.
This should give you the results you are interested in ??
Carter
> On Mar 19, 2015, at 11:48 PM, Pete McKenna <pete.mckenna at gmail.com> wrote:
>
>
> I'm using Argus on FreeBSD 10.1 and have the latest ports update, version 3.0.8. I get no errors when building, and most features seem just fine, but I'd like to use rastream -M flow "filter" option, and I get no output and no errors when I run this command on a file. It does not matter if I am writing to stdout or a file, nothing happens. Using -M time does work as expected. I don't believe the clients were built with debug, I get nothing when using -D 8 on rastream.
>
> I also noticed that the man page for rastream details using flow, but the -h help does not mention a flow option at all. I'd appreciate any thoughts.
>
> I'll try and recompile with debug, is this an option to configure?
>
> command I'd like to run is like this:
> rastream -r ../BPM_test_Cap.arg -M flow "icmp and net 10.0.0.0/23 <http://10.0.0.0/23>" -w - | ra -r -
>
> The behavior is the same on OS X 10.7.5 also with the 3.0.8 clients. I have tried using -X to clear any .rarc complications, there is no change.
>
> Thanks
>
> Pete
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20150320/c4100173/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20150320/c4100173/attachment.bin>
More information about the argus
mailing list