[ARGUS] Filter out flows that start in the current ra-file?

Carter Bullard carter at qosient.com
Thu Nov 18 11:46:18 EST 2021 

Hey Patrick,
This is always a complex issue when the sensor generates status records.   Which are new, which are continuations.
There is filter support that matches the cause field in each record (like you are with grep) , not sure that it will do exactly what your looking for …

   ra -r file - start

It will treat all connectionless traffic as starting and the connection oriented ones are looking for TCP flag indication of a SYN or SYNACK in this record … so you’ll get the first record of new TCP flows, but you won’t get the status records if the there are multiple flow status records in the 5 minutes.   If this is a problem, run racluster on the 5 minute file to merge all status records together and use start to find the starters …

   racluster -r 5.min.file -w - | ra - start

If you want do do something more elegant and expensive, you can racluster the previous 5 minutes with this 5 minutes, and then filter for all records that started after the beginning of this 5 minute period.  That will find brand new flows that started in this 5 minute period (no carry over from the previous 5 minutes) ...

   racluster -r previous.5.min.file this.5.min.file -w - | ra -t cthis.5m.time.range

Notice that I’m using the ‘c’ comparison indication before the time range to match flows that are ‘contained’ in the time range.  If you don’t use that, you get all flows that intersect (default behavior) the time range, and that will defeat your purpose ...

Carter


> On Nov 18, 2021, at 6:57 AM, Patrick Forsberg <fors at chalmers.se> wrote:
> 
> Hi,
> 
> We collect argus data and store it in 5-minute files. That is a file contains five minutes of argus data.
> This means that in the beginning of the file there will be a lot of flows that are continuation of something starting earlier.
> Is there an easy way to filter out only those flows that start within the file capture time?
> 
> I can do
> 
>   ra -s+cause -r rafile.ra |grep -v Status
> 
> and get text output that omits the flows that are continuations, but I would much prefer if it's possible to do it "before the pipe"
> 
> Hope I'm making sense here.
> 
> /Patrick
>

More information about the argus mailing list