[ARGUS] Did aggregation record count (-s trans) behaviour change between v3 and v5?

[Michael Sanderson via Argus-info]

Hi Carter.  I had an ra tools pipeline in v3 that would give me (perhaps imperfect) counts of the number of external IP addresses an internal host talked to.  I think that the key piece of that pipeline was the use of the aggregation record count (-s trans) and I'm curious if there has been an intentional behaviour change for that count between v3 and v5.

(In all honesty, this pipeline likely dates back to argus 2 and Peter van Epp from Simon Fraser University, if that name still rings a bell for you.)

#!/bin/sh
# Top list of talkers, excluding busy public-facing servers.
#
# Select flows sourcing from OUR_NET that are not in the SERVERS_FILE - i.e. exclude our busy public-facing services
# First aggregate by source and destination, "-M norep" so that each row is a single transaction
# Aggregate by source, calculating the session stats so "trans" is the number of connections to distinct hosts made by each source
# Sort by "trans" to find the worst scanners
# Output result

OUR_NET="W.X.Y.Z/N"

ra -w - "$@" |
rafilteraddr -m saddr -vf $SERVERS_FILE -r - -w - - \
\( syn or not tcp \) and \
src net \( $OUR_NET \) and \
not \( dst net $OUR_NET \) |
racluster -M norep -m smac dmac saddr daddr -r - -w - |
racluster -m smac saddr -r - -w - |
rasort -m trans -r - -w - |
ra -L-1 -s trans saddr -r -


In v3, this would produce output like

  423       W.X.6.71
  328     W.X.55.202
  293       W.X.5.95
  248      W.X.25.30
  237      W.X.25.15
   ...

With v5, I'm getting

    1      W.X.2.253
    1      W.X.3.253
    1      W.X.4.253
    1      W.X.5.253
    1      W.X.6.253
    1      W.X.7.253
    1      W.X.8.253
     ...


If I recall correctly, if I put a "ra -s +trans -r -" after any of the pipes, v5 always gives a trans value of 1.  Is this expected?

    Michael Sanderson
    Department of Computer Science
    The University of British Columbia