[ARGUS] ratop with racolor blanks our daddr

carter at qosient.com carter at qosient.com
Fri Jul 19 16:56:36 EDT 2019 

Hey Steven,
In ratop, you should be able to save the display screen with the “:w” option and then a filename.  It will write all the flows in its cache to a file, and then you can read that file in with ratop.1 to see if it still has the daddr blacked out …. All I would need is that file ...

Carter
 

> On Jul 19, 2019, at 4:39 PM, Steven L <bluebluesteven at gmail.com> wrote:
> 
> Hi Carter,
> 
> Data set is coming off a nic via argus. I'll see if I can do the same off of a pcap.
> 
> 
> ######################################
> rarc.conf:
> ######################################
> RA_ARGUS_SERVER=localhost:561
> RA_USEC_PRECISION=2
> RA_SORT_ALGORITHMS=load
> RA_COLOR_SUPPORT="yes"
> RA_COLOR_CONFIG="racolor.conf"
> 
> 
> ######################################
> racolor.conf:
> ######################################
> filter=""     color="all:BLACK"                           cont
> filter=""     color="all:WHITE"                           cont
> filter="src load eq 0"   color="saddr:BLUE" cont
> filter="src load eq 0"   color="daddr:BLUE" cont
> 
> 
> ######################################
> command:
> ######################################
> ratop -F rarc.conf -H -n -s ltime idle saddr sport dir daddr dport proto load rate bytes pkts state dur sdsb
> 
> 
> 
> 
> 
> 
> 
> On Fri, Jul 19, 2019 at 8:47 AM <carter at qosient.com <mailto:carter at qosient.com>> wrote:
> Hey Steve,
> So the color map is a bit map, and the notion that initializing all the bits explicitly before you start,  isn’t crazy … but not something the user should have to do.
> I’ll take a look at the code today … any chance you have a .racolor.conf, .rarc and a data set you can share that shows the problem ???
> 
> Carter
> 
>> On Jul 19, 2019, at 9:44 AM, Steven L <bluebluesteven at gmail.com <mailto:bluebluesteven at gmail.com>> wrote:
>> 
>> A more "enhanced" workaround is to have the below at the top of the racolor.config. This will put the text back to the proper foreground color.
>> 
>> filter=""     color="all:BLACK"      cont
>> filter=""     color="all:WHITE"      cont
>> 
>> 
>> 
>> On Thu, Jul 18, 2019 at 3:31 PM <carter at qosient.com <mailto:carter at qosient.com>> wrote:
>> So there does appear to be a bug in the parser … not sure yet what, as I haven’t had a chance to look into it.
>> I’m thinking that if you put an explicit line at the top and then add your logic, that you’ll be setting the text to something other than the "foreground” .  Is this a workaround ???
>> 
>> Carter
>> 
>>> On Jul 18, 2019, at 6:17 PM, Steven L <bluebluesteven at gmail.com <mailto:bluebluesteven at gmail.com>> wrote:
>>> 
>>> When I do this:  filter="net 0.0.0.0/0 <http://0.0.0.0/0>"     color="all:BLACK"                           cont
>>> 
>>> Some items are blanked out.
>>> <image.png>
>>> 
>>> When do this: filter=""     color="all:BLACK"                           cont
>>> Everything shows up. Interesting!
>>> <image.png>
>>> 
>>>> 
>>> 
>> 
>> 
>> _______________________________________________
>> argus mailing list
>> argus at qosient.com <mailto:argus at qosient.com>
>> https://pairlist1.pair.net/mailman/listinfo/argus <https://pairlist1.pair.net/mailman/listinfo/argus>
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20190719/7d051e53/attachment.html>

More information about the argus mailing list