Rastream flow option problem, FreeBSD and OS X?

Pete McKenna pete.mckenna at gmail.com
Fri Mar 20 14:03:39 EDT 2015 

Carter,

Fantastic, I don't know why I thought rasplit would be different, but I was
under the impression it couldn't have it's output piped. This is working
great.

Pete

On Fri, Mar 20, 2015 at 12:00 AM, Carter Bullard <carter at qosient.com> wrote:

> Hey Pete,
> rastream is a special case of rasplit, that supports block processing of
> stream data.
> you aren’t using any of those features, so try using rasplit instead.
>
>    rasplit -r ../BPM_test_Cap.arg -M flow ‘icmp and net 10.0.0.0/23’  -w
> - | ra
>
> When records that match the filter are seen, you should get an
> ARGUS_MAR_CLOSE
> record followed by an ARGUS_MAR_START record, then the record that matches
> the flow.
>
> This should give you the results you are interested in ??
>
> Carter
>
>
> On Mar 19, 2015, at 11:48 PM, Pete McKenna <pete.mckenna at gmail.com> wrote:
>
>
> I'm using Argus on FreeBSD 10.1 and have the latest ports update, version
> 3.0.8. I get no errors when building, and most features seem just fine, but
> I'd like to use rastream -M flow "filter" option, and I get no output and
> no errors when I run this command on a file. It does not matter if I am
> writing to stdout or a file, nothing happens. Using -M time does work as
> expected. I don't believe the clients were built with debug, I get nothing
> when using -D 8 on rastream.
>
> I also noticed that the man page for rastream details using flow, but the
> -h help does not mention a flow option at all. I'd appreciate any thoughts.
>
> I'll try and recompile with debug, is this an option to configure?
>
> command I'd like to run is like this:
> rastream -r ../BPM_test_Cap.arg -M flow "icmp and net 10.0.0.0/23" -w - |
> ra -r -
>
> The behavior is the same on OS X 10.7.5 also with the 3.0.8 clients. I
> have tried using -X to clear any .rarc complications, there is no change.
>
> Thanks
>
> Pete
>
>
>


-- 
Pete McKenna
pete.mckenna at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20150320/18a347ad/attachment.html>

More information about the argus mailing list