trying to extract and reconstruct specific info form argus file

Carter Bullard via Argus-info argus-info at lists.andrew.cmu.edu
Sun Mar 20 11:29:06 EDT 2016 

Hey Riccardo,
John is right, you don’t need to burn cycles converting the records to ascii and then converting them back to binary.
Just run:
   ra -r argus.out -w argusfile.tmp - host 172.21.32.80 and host 172.21.47.25

Now, on the other hand, your print to ascii and then convert back to binary should work.  But this process is completely dependent on the columns you are choosing to print.  Because you aren’t specifying any columns, ra.1 will use your .rarc file to figure out what columns to export to raconvert.1, or it will use the default.  Since racount.1 wants to report on src and dst pkts and bytes, what happens if you specify the spkts dpkts and sbytes dbytes fields in your ra.1 call ???

    ra -L0 -c, -r argus.out -s stime dur saddr daddr spkts dpkts sbytes dbytes \ 
         -- host 172.21.32.80 and host 172.21.47.25 | raconvert -r - -w argusfile.tmp

The ra -> raconvert -> argus.file  is designed to control the contents of your argus records.  You guarantee the semantics of the argus data file because you control the exact fields and the value of the fields.  This is designed to provide some confidence that you know what you are sharing when you give someone the data, that there aren’t any intentional or unintentional leaks.

Carter 

> On Mar 19, 2016, at 10:46 PM, Riccardo Veraldi via Argus-info <argus-info at lists.andrew.cmu.edu> wrote:
> 
> Hello,
> I am trying to extract specific pattern of traffic from my daily argus file, for example to make some graph, but I have not coherent results.
> 
> For example I Want to see how much data was transferred between host 172.21.32.80 and host 172.21.47.25
> 
> So for example:
> 
> racount -r argus.out -- host 172.21.32.80 and host 172.21.47.25
> 
> racount   records     total_pkts     src_pkts       dst_pkts total_bytes        src_bytes          dst_bytes
>    sum   12845       223972263      111508804      112463459 1276653814474      1265563799876      11090014598
> 
> 
> now I Want to extract only the info about these 2 IP and have an argus file only with those info.
> 
> ra -L0 -c, -r argus.out -- host 172.21.32.80 and host 172.21.47.25 | raconvert -r - -w argusfile.tmp
> 
> and I again run racount on it
> 
> racount   records     total_pkts     src_pkts       dst_pkts total_bytes        src_bytes          dst_bytes
>    sum   12652       194539         194539         0 217056818          217056818          0
> 
> the number of records match but the byte count is totally different as well as number of packets.
> I Also would run a ragraph
> 
> ragraph saddr sbytes daddr dbytes -no-legend -M 10s  -r argusfile.tmp
> 
> it works but the result matches the 200MB not 1.16TB of course.
> 
> what I am missing here ?
> 
> I need to extract argus file specific information to match pecific pattern of traffic and have them in smaller argus-format files
> to make custom "on demand" graphs.
> 
> I please ask if anyone has a hint for me.
> 
> thank you
> 
> Rick
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20160320/d6993187/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20160320/d6993187/attachment.bin>

More information about the argus mailing list