From argus-info at lists.andrew.cmu.edu Wed Dec 3 15:41:37 2025 From: argus-info at lists.andrew.cmu.edu (Michael Sanderson via Argus-info) Date: Wed, 3 Dec 2025 12:41:37 -0800 Subject: [ARGUS] Did aggregation record count (-s trans) behaviour change between v3 and v5? Message-ID: Hi Carter. I had an ra tools pipeline in v3 that would give me (perhaps imperfect) counts of the number of external IP addresses an internal host talked to. I think that the key piece of that pipeline was the use of the aggregation record count (-s trans) and I'm curious if there has been an intentional behaviour change for that count between v3 and v5. (In all honesty, this pipeline likely dates back to argus 2 and Peter van Epp from Simon Fraser University, if that name still rings a bell for you.) #!/bin/sh # Top list of talkers, excluding busy public-facing servers. # # Select flows sourcing from OUR_NET that are not in the SERVERS_FILE - i.e. exclude our busy public-facing services # First aggregate by source and destination, "-M norep" so that each row is a single transaction # Aggregate by source, calculating the session stats so "trans" is the number of connections to distinct hosts made by each source # Sort by "trans" to find the worst scanners # Output result OUR_NET="W.X.Y.Z/N" ra -w - "$@" | rafilteraddr -m saddr -vf $SERVERS_FILE -r - -w - - \ \( syn or not tcp \) and \ src net \( $OUR_NET \) and \ not \( dst net $OUR_NET \) | racluster -M norep -m smac dmac saddr daddr -r - -w - | racluster -m smac saddr -r - -w - | rasort -m trans -r - -w - | ra -L-1 -s trans saddr -r - In v3, this would produce output like 423 W.X.6.71 328 W.X.55.202 293 W.X.5.95 248 W.X.25.30 237 W.X.25.15 ... With v5, I'm getting 1 W.X.2.253 1 W.X.3.253 1 W.X.4.253 1 W.X.5.253 1 W.X.6.253 1 W.X.7.253 1 W.X.8.253 ... If I recall correctly, if I put a "ra -s +trans -r -" after any of the pipes, v5 always gives a trans value of 1. Is this expected? Michael Sanderson Department of Computer Science The University of British Columbia