[ARGUS] Argus error in packet size and bytes

Dave dedelman at iname.com
Tue May 31 11:19:01 EDT 2022 

I use this command line on a regular basis to do the conversion from cap or pack-ng to the Argus flow format. Try creating the Argus file then read that with ra to see if things get better. The -X flag as the first parameter sometimes works miracles 


/usr/local/sbin/argus -X -A -Z -m -R -J -U 2048 -r pcap.pcap -w capture.argus

—Dave

> On May 31, 2022, at 9:28 AM, Carter Bullard <carter at qosient.com> wrote:
> 
> Hey Sehan,
> There are a few questions to go through …
> 
> What version are you using ?  … the current version is 3.0.8.4, be sure and get the latest software releases from https://github.com/openargus <https://github.com/openargus>
> How are you running argus ?
> How are you running ra ? … 
> 
> in your earlier off-list emails, you sent a screenshot where the pkts and bytes fields had no values  … this is normally an argus / client version mismatch problem or you processed the .argus file and stripped the metrics dsr out of the records … getting the latest code should help.  The INT you see is the value for ’state’ field.  To see that the fields are blank, you can print as a CSV …
>    % ra -r loic.argus -c ,
> 
> Have you processed the files with other ra* commands ???  That could account for the missing metrics values ...
> 
> If it is a complete mystery, then if you can share the pcap file that generates the error, I can take a look ...
> 
> Carter
> 
>> On May 31, 2022, at 6:43 AM, Sehan Samarakoon <sehan6996 at gmail.com <mailto:sehan6996 at gmail.com>> wrote:
>> 
>> Hi,
>> 
>> I have been using argus tool to convert a pcap into the argus file format. However, I'm getting an error "ArgusGenerateRecordStruct: pre ARGUS_DATA_DSR len is zero" when I read through the command ra. In addition, I'm also not getting any values for pkts and bytes fields in some of the flows. Instead it prints as INT. 
>> 
>> I would be really grateful to you if you can tell me if there is any way to overcome this / anything I'm doing wrong? I have been searching through internet for a very long time, only to be unsuccessful. Your response is highly appreciated.
>> 
>> Thank you
>> Best Regards,
>> Sehan Samarakoon
>> 
>> 
>> _______________________________________________
>> argus mailing list
>> argus at qosient.com <mailto:argus at qosient.com>
>> https://pairlist1.pair.net/mailman/listinfo/argus
> 
> _______________________________________________
> argus mailing list
> argus at qosient.com
> https://pairlist1.pair.net/mailman/listinfo/argus

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20220531/dbb54826/attachment-0001.htm>

More information about the argus mailing list