trying to extract and reconstruct specific info from argus file
John Gerth via Argus-info
argus-info at lists.andrew.cmu.edu
Sat Mar 19 23:58:50 EDT 2016
Use "ra ... -w some_filename .... " rather than "ra -c, -L0 .... | raconvert -r - ..." to save an extract
With the latter pipeline raconvert will only get the fields output by ra whereas with the former, the entire
unedited record will be written. In your case, it looks like original "ra" was not outputting any dst fields.
/J
On 3/19/16 7:46 PM, Riccardo Veraldi via Argus-info wrote:
> Hello,
> I am trying to extract specific pattern of traffic from my daily argus file, for example to make some graph, but I have not coherent results.
>
> For example I Want to see how much data was transferred between host 172.21.32.80 and host 172.21.47.25
>
> So for example:
>
> racount -r argus.out -- host 172.21.32.80 and host 172.21.47.25
>
> racount records total_pkts src_pkts dst_pkts total_bytes src_bytes dst_bytes
> sum 12845 223972263 111508804 112463459 1276653814474 1265563799876 11090014598
>
>
> now I Want to extract only the info about these 2 IP and have an argus file only with those info.
>
> ra -L0 -c, -r argus.out -- host 172.21.32.80 and host 172.21.47.25 | raconvert -r - -w argusfile.tmp
>
> and I again run racount on it
>
> racount records total_pkts src_pkts dst_pkts total_bytes src_bytes dst_bytes
> sum 12652 194539 194539 0 217056818 217056818 0
>
> the number of records match but the byte count is totally different as well as number of packets.
> I Also would run a ragraph
>
> ragraph saddr sbytes daddr dbytes -no-legend -M 10s -r argusfile.tmp
>
> it works but the result matches the 200MB not 1.16TB of course.
>
> what I am missing here ?
>
> I need to extract argus file specific information to match pecific pattern of traffic and have them in smaller argus-format files
> to make custom "on demand" graphs.
>
> I please ask if anyone has a hint for me.
>
> thank you
>
> Rick
>
>
More information about the argus
mailing list