[ARGUS] Ratop missing

Carter Bullard carter at qosient.com
Sat Feb 22 11:14:36 EST 2025 

Hey Monah,

All clients can print country codes on output but that doesn’t add the country codes to the records, which is key to filtering, sorting, or aggregating on them.  In these cases, the values need to be inserted in the records.  The best way to add them to the flow record is having radium label the records, so your approach is the right strategy …

When I see this king of mystery, usually I have radium connecting to itself, and no data is generated … (especially if there is a system radium, and I’m trying to do something else) … best way is to run your radium with some debugging …
   % radium -D3 -S localhost:562 -P 561 -e `hostname`. (Without the -d)

That should give away some secrets ...

If you are setting something on the command line and using the /etc/argus.conf or /etc/radium.conf, there could some conf collision with your command line options.  This is not the usually case, so I would suspect you have another radium …

Ratop, because of curses can do some weird stuff like blank screens (I get this sometimes trying to read from mysql tables) … What happens when you connect ra to port 561 …
   % ra -S localhost

Carter


> On Feb 22, 2025, at 7:09 AM, Monah Baki <monahbaki at gmail.com> wrote:
> 
> Hello Carter
> 
> Need some help displaying country codes when I run ratop (debian 12). Had this issue awhile back when running version 3.x, and I went back to my emails and did exactly what my notes said for it to work.
> 
> I have the following:
> /etc/ralabel.conf
> RALABEL_ARIN_COUNTRY_CODES=yes
> RA_DELEGATED_IP="/usr/local/argus/delegated-ipv4-latest"
> 
> /etc/radium.conf
> RADIUM_CLASSIFIER_FILE=/etc/ralabel.conf
> 
>  /usr/local/sbin/argus -m -U 256 -i enp1s0 -P 562 -d
>  radium -S localhost:562 -P 561 -d -e `hostname`
>  ratop -S localhost:561 -s stime proto saddr sport daddr dport trans sload psize sco dco
> 
> If I run ratop on port 562, I see the output, with 561, screen is blank.
> 
> 
> Thanks
> Monah
> 
> 
>  
> 
> On Fri, Feb 21, 2025 at 3:33 PM Carter Bullard <carter at qosient.com <mailto:carter at qosient.com>> wrote:
>> No problem !!!
>> Carter
>> 
>>> On Feb 20, 2025, at 6:47 PM, Monah Baki <monahbaki at gmail.com <mailto:monahbaki at gmail.com>> wrote:
>>> 
>>> never mind, forgot to install in debian libreadline-dev
>>> 
>>> On Thu, Feb 20, 2025 at 9:00 AM Monah Baki <monahbaki at gmail.com <mailto:monahbaki at gmail.com>> wrote:
>>>> Hello everyone,
>>>> 
>>>> I downloaded and compiled argus/client and I can't seem to find ratop, has it been replaced by another program?.
>>>> 
>>>> Thanks
>>>> Monah
>> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20250222/65a097d6/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1385 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20250222/65a097d6/attachment.bin>

More information about the argus mailing list