Argus-3.0.8.2 output values

Carter Bullard via Argus-info argus-info at lists.andrew.cmu.edu
Mon Jan 23 10:21:34 EST 2017 

Hey Hasanen,
Rather than running data through pipes, try to build up your processing using files, so that you can see how the processing is going.

From your file.argus, try these simple steps to see how the flow records are generated and to see how it can help you …
First, copy a rare file so that your clients can be configured to generate the output you like.

   % cp  /path/to/argus-clients…/support/Config/rarc ~/.rarc

Try this configuration for a while, and modify as your preferences develop.
So where is your port 433 traffic ??

   % ra -r file.argus - port 433

You will find that with bi-directional flow data, your port may not be the destination port.  That depends on the quality of the packet source that you are using.  As I mentioned earlier, which direction of the packet stream are you expecting when you look for just the dst port 443 packets.

Now, in your .rarc file, there is support for trying to control which ports are labeled as source, when the direction is not known.  Variables like:
   RA_PORT_DIRECTION
   RA_LOCAL_DIRECTION

I suspect that your packet data is incomplete, say only seeing one side of the traffic, so play with these two variables in your new .rarc file, and see if you can’t get things a bit better lined up.

Carter

> On Jan 23, 2017, at 10:08 AM, Hasanen Alyasiri via Argus-info <argus-info at lists.andrew.cmu.edu> wrote:
> 
> Hi,
> 
> Best Wishes...
> 
> My issue is when I check my pcap file using Wireshark it clearly indicates for me that in this file there is a Dport of value 433 but when I use argus to read and extract Dport alongside other features it shows these values:
> 
> Dport
> telnet
> telnet
> telnet
> 51996
> 50169
> 27711
> 0x4f52
> 0x4f52
> https
> telnet
> 49807
> 7547
> 36885
> 0x4f51
> 0x4f50
> telnet
> ntp
> 56685
> 49343
> https
> 
> This is my extraction codes:
> 
> argus -w - -r file.pcap | \ra -nnr - -c ',' -s rank, stime, ltime, dur, saddr, sport, daddr, dport, proto, stos, dtos, sttl, dttl, pkts, spkts, dpkts, bytes, sbytes, dbytes, sload, dload, sloss, dloss, rate, dir, sintpkt, dintpkt, sjit, djit, state, smeansz, dmeansz > file.csv
> 
> Or using
> 
> argus -r file.pcap -w file.argus
> 
> ra -Lo -s rank, stime, ltime, dur, saddr, sport, daddr, dport, proto, stos, dtos, sttl, dttl, pkts, spkts, dpkts, bytes, sbytes, dbytes, sload, dload, sloss, dloss, rate, dir, sintpkt, dintpkt, sjit, djit, state, smeansz, dmeansz -r file.argus -c , > file.csv
> 
> I much appreciate your help.
> 
> Regards...
> 
> Hasanen Alyasiri
> Research Student
> Department of Computer Science
> University of York
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20170123/052842dc/attachment.html>

More information about the argus mailing list