trying to extract and reconstruct specific info form argus file

Riccardo Veraldi via Argus-info argus-info at lists.andrew.cmu.edu
Fri Mar 25 15:07:52 EDT 2016 

On 20/03/16 08:29, Carter Bullard wrote:
> Hey Riccardo,
> John is right, you don’t need to burn cycles converting the records to 
> ascii and then converting them back to binary.
> Just run:
>    ra -r argus.out -w argusfile.tmp - host 172.21.32.80 and host 
> 172.21.47.25
>
> Now, on the other hand, your print to ascii and then convert back to 
> binary should work.  But this process is completely dependent on the 
> columns you are choosing to print.  Because you aren’t specifying any 
> columns, ra.1 will use your .rarc file to figure out what columns to 
> export to raconvert.1, or it will use the default.  Since racount.1 
> wants to report on src and dst pkts and bytes, what happens if you 
> specify the spkts dpkts and sbytes dbytes fields in your ra.1 call ???
>
>     ra -L0 -c, -r argus.out -s stime dur saddr daddr spkts dpkts 
> sbytes dbytes \
>          -- host 172.21.32.80 and host 172.21.47.25 | raconvert -r - 
> -w argusfile.tmp
>
Hi Carter,
I Was trying your hint.
I do not know what is going wrong but raconvert is not working giving as 
input

ra -L0 -c, -r argus.out -s stime dur saddr daddr spkts dpkts sbytes 
dbytes \
          -- host 172.21.32.80 and host 172.21.47.25 > argus.txt

raconvert -r argus.txt -w argusfile.tmp

no argusfile.tmp is created.

I am missing something ... which I do not understand.

> The ra -> raconvert -> argus.file  is designed to control the contents 
> of your argus records.  You guarantee the semantics of the argus data 
> file because you control the exact fields and the value of the fields. 
>  This is designed to provide some confidence that you know what you 
> are sharing when you give someone the data, that there aren’t any 
> intentional or unintentional leaks.
>
> Carter
>
>> On Mar 19, 2016, at 10:46 PM, Riccardo Veraldi via Argus-info 
>> <argus-info at lists.andrew.cmu.edu 
>> <mailto:argus-info at lists.andrew.cmu.edu>> wrote:
>>
>> Hello,
>> I am trying to extract specific pattern of traffic from my daily 
>> argus file, for example to make some graph, but I have not coherent 
>> results.
>>
>> For example I Want to see how much data was transferred between host 
>> 172.21.32.80 and host 172.21.47.25
>>
>> So for example:
>>
>> racount -r argus.out -- host 172.21.32.80 and host 172.21.47.25
>>
>> racount   records     total_pkts     src_pkts       dst_pkts 
>> total_bytes        src_bytes          dst_bytes
>>    sum   12845       223972263      111508804      112463459 
>> 1276653814474      1265563799876      11090014598
>>
>>
>> now I Want to extract only the info about these 2 IP and have an 
>> argus file only with those info.
>>
>> ra -L0 -c, -r argus.out -- host 172.21.32.80 and host 172.21.47.25 | 
>> raconvert -r - -w argusfile.tmp
>>
>> and I again run racount on it
>>
>> racount   records     total_pkts     src_pkts       dst_pkts 
>> total_bytes        src_bytes          dst_bytes
>>    sum   12652       194539         194539         0 217056818 
>>          217056818          0
>>
>> the number of records match but the byte count is totally different 
>> as well as number of packets.
>> I Also would run a ragraph
>>
>> ragraph saddr sbytes daddr dbytes -no-legend -M 10s  -r argusfile.tmp
>>
>> it works but the result matches the 200MB not 1.16TB of course.
>>
>> what I am missing here ?
>>
>> I need to extract argus file specific information to match pecific 
>> pattern of traffic and have them in smaller argus-format files
>> to make custom "on demand" graphs.
>>
>> I please ask if anyone has a hint for me.
>>
>> thank you
>>
>> Rick
>>
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20160325/5538972f/attachment.html>

More information about the argus mailing list