[ARGUS] Argus error in packet size and bytes

Carter Bullard carter at qosient.com
Sun Jun 5 10:05:52 EDT 2022 

Hey Sehan,
Argus will not generate flow records that have zero packets or zero bytes so something is not right.   The problem could be argus or how you are using the tools.  You should describe how you generate the records and any processing that you are doing.   

If you are starting with a pcap file, if you can share the file, we can see if your problem is repeatable.

Please read the ra.1 manual ...
   % man ra

and it will explain what INT means.

Carter


> On Jun 5, 2022, at 3:27 AM, Sehan Samarakoon <sehan6996 at gmail.com> wrote:
> 
> 
> And in all of them 'e' is not there under flags too. Is this due to some information missing in the packets?
> 
> -Sehan
> 
>> On Sun, 5 Jun 2022 at 10:22, Sehan Samarakoon <sehan6996 at gmail.com> wrote:
>> Hi Carter,
>> 
>> Finally got it to work on my Mac. Thank you for your help. The "pre ARGUS_DATA_DSR len is zero" issue is now sorted. However, i'm still getting some flows as INT and in all of them, the packet size and no of bytes fields are empty. Do you have any idea what could be the issue? What does the state 'INT' actually mean? This happens with flows that have state 'INT' only.
>> 
>> -Sehan
>> 
>>> On Fri, 3 Jun 2022 at 17:00, Carter Bullard <carter at qosient.com> wrote:
>>> Hey Sehan,
>>> There are many methods for managing software on Linux machines.  By downloading the source, and using ‘make install’, you are avoiding all of those systems, so ‘dpkg’ won’t ‘know’ that the software is installed.  Working with source is a good thing for an investigator … you’re now a developer rather than a user :O)
>>> 
>>> There is a file in each of the distributions that describes these concepts, like the README file and the INSTALL file.  Take a look ...
>>> 
>>> By default, argus will install all of its code into the /usr/local directories.
>>>    % cd /usr/local
>>>    % ls
>>> 
>>> If your ‘make install’ was successful, you should see the bin and sbin subdirectories in /usr/local.  Argus is in the sbin directory (system binary) and the clients are all in the bin directory.
>>> You can run programs like ‘ra’ by providing the complete path in your command …
>>> 
>>>    % /usr/local/bin/ra -r argus.file
>>> 
>>> You may need to add /usr/local/bin and /usr/local/sbin directories to your PATH variable (added to .bashrc, or .profile in your home directory), 
>>> 
>>> You can have argus change where it installs things.  If you would rather argus install its software in the system /usr/sbin and /usr/bin directories, try this:
>>>    % make uninstall
>>>           This will remove the current software
>>> 
>>>    % ./configure —prefix=/usr
>>>    % make install
>>> 
>>> Do look at the output of the make program calls, as the information is very useful and possibly instructional.
>>> If you would like it to install in the /opt directory structure, then change the ‘/usr’ in the above configure call to ‘/opt’.
>>> 
>>>  Carter
>>> 
>>> 
>>>> On Jun 3, 2022, at 8:51 AM, Sehan Samarakoon <sehan6996 at gmail.com> wrote:
>>>> 
>>>> Hi Carter,
>>>> 
>>>> The installation issue is ok now. It got installed with 'make install'. But argus package is not showing under dpkg list yet. And argus commands are not working. It says its not installed and asking to be installed with 'apt'. Is there a specific location that I should clone it? Are there any environment variables to be adjusted?
>>>> 
>>>> Sehan
>>>> 
>>>>> On Thu, 2 Jun 2022 at 17:17, Carter Bullard <carter at qosient.com> wrote:
>>>>> Hey Sehan,
>>>>> You aren’t doing anything wrong … my bad … I didn’t finish a needed change in master for the mysql code … for some reason my test machine didn’t have mysql installed …
>>>>> OK fetch and pull the code from GitHub again and all should be well ...
>>>>> 
>>>>> Carter
>>>>> 
>>>>> 
>>>>>> On Jun 1, 2022, at 9:14 AM, Sehan Samarakoon <sehan6996 at gmail.com> wrote:
>>>>>> 
>>>>>> Hi Carter,
>>>>>> 
>>>>>> Thanks for the reply. I'm running argus on a Kali linux and was only able to install argus through "sudo apt-get install". So I have been using the version 3.0.8.2 as shown in here.
>>>>>> <argus_ver.png>
>>>>>> I have been trying to get the source code from github but the following message is given and argus is not installed when I give the "make" command.
>>>>>> 
>>>>>> <Screenshot_2022-06-01_09-05-37.png>
>>>>>> Any idea what I'm doing wrong?
>>>>>> 
>>>>>> -Sehan
>>>>>> 
>>>>>> 
>>>>>> 
>>> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20220605/b4ee52ff/attachment.htm>

More information about the argus mailing list