Query by country
Carter Bullard
carter at qosient.com
Mon Mar 23 08:58:04 EDT 2015
Hey Monah,
This may seem slightly confusing but the issue is straightforward.
Country codes are flow record metadata. The codes aren't
normally in the record, as they can't be extracted from the packet
contents. To get them in the record, you have to insert them
using a program like radium (labeler).
All ra* programs can print country codes, if you give it a database file,
usually in the .rarc file. If there isn't a country code in the record,
all ra* programs can lookup the code in the given database,
but this is done in the print routine. This operation does not
affect the contents of the actual argus record.
In ra* programs, there are a lot of filters. For ratop, there is
a remote and local input filter, a display filter, and an output filter.
Because there are so many!of them, they are designed to work
only on record content.
So currently, in order to filter on country codes, AS numbers,
DNS names, lat/lon etc..., you need to get the object into the record.
Use radium to add the country codes to your flow records,
or use ralabel.1 in the command pipeline to enhance the records
to get your object into the record.
Carter
> On Mar 23, 2015, at 8:31 AM, monahbaki at gmail.com wrote:
>
> Hi all,
>
> If a server running ratop displays all the information that is required including country codes, but if I want to query for example "co US", nothing shows up on display. What should I look for?
>
> Thanks
> Monah
>
> Sent from my BlackBerry 10 smartphone on the Verizon Wireless 4G LTE network.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20150323/92e37984/attachment.html>
More information about the argus
mailing list