headers
Rahul Telang | 1 Apr 2002 22:02
Picon

argus installation

I am not able to install argus. When I run ./configure after untarring 
argus source, it says that local pcap library not found and gives an error 
message. I have untarred libpcap and Bison in the same directory as Argus.

Any idea and to what is going on?

Rahul
Permalink | Reply | 4 comments |
headers
Chas DiFatta | 1 Apr 2002 22:15

RE: argus installation

Rahul,

Install libpcap in the same directory level as argus, or
put the libpcap libs in argus/lib, or /usr/local/lib.

	...cd

>-----Original Message-----
>From: owner-argus-info <at> lists.andrew.cmu.edu
>[mailto:owner-argus-info <at> lists.andrew.cmu.edu]On Behalf Of Rahul Telang
>Sent: Monday, April 01, 2002 12:02 PM
>To: argus <at> lists.andrew.cmu.edu
>Subject: argus installation
>
>
>I am not able to install argus. When I run ./configure after untarring
>argus source, it says that local pcap library not found and gives an error
>message. I have untarred libpcap and Bison in the same directory as Argus.
>
>Any idea and to what is going on?
>
>Rahul
>
Permalink | Reply | 3 comments |
headers
Yotam Rubin | 1 Apr 2002 22:21
Picon

Re: argus installation

On Mon, Apr 01, 2002 at 12:15:12PM -0800, Chas DiFatta wrote:
> Rahul,
> 
> Install libpcap in the same directory level as argus, or
> put the libpcap libs in argus/lib, or /usr/local/lib.

<shameless Debian plug>
Or the Debian equivalent, apt-get build-dep argus (On testing or sid)
</shameless Debian plug>
'apt-get build-dep' retrieves the build dependencies of the specified package.

	Regards, Yotam Rubin

> 
> 	...cd
> 
> 
> >-----Original Message-----
> >From: owner-argus-info <at> lists.andrew.cmu.edu
> >[mailto:owner-argus-info <at> lists.andrew.cmu.edu]On Behalf Of Rahul Telang
> >Sent: Monday, April 01, 2002 12:02 PM
> >To: argus <at> lists.andrew.cmu.edu
> >Subject: argus installation
> >
> >
> >I am not able to install argus. When I run ./configure after untarring
> >argus source, it says that local pcap library not found and gives an error
> >message. I have untarred libpcap and Bison in the same directory as Argus.
> >
> >Any idea and to what is going on?
(Continue reading)

Permalink | Reply | 0 comments |
headers
Rahul Telang | 1 Apr 2002 22:42
Picon

RE: argus installation

thanks

When I untar libpcap, there is no "lib" directory. There are "bpf", "lbl", 
"packaging", "sunos4" and "net" directories and tons of other .c or .h 
files. Which one should I copy to argus/lib. I notice that currently 
argus/lib is empty. I am able to configure libpcap but not install it. It 
gives some error in inet.c. I have untarred libpcap in in augus as well as 
root directory but the same error persists.

-thanks

Rahul

Rahul Telang--On Monday, April 01, 2002 12:15 PM -0800 Chas DiFatta 
<chas <at> difatta.org> wrote:

> Rahul,
>
> Install libpcap in the same directory level as argus, or
> put the libpcap libs in argus/lib, or /usr/local/lib.
>
>	 ...cd
>
>
>> -----Original Message-----
>> From: owner-argus-info <at> lists.andrew.cmu.edu
>> [mailto:owner-argus-info <at> lists.andrew.cmu.edu]On Behalf Of Rahul Telang
>> Sent: Monday, April 01, 2002 12:02 PM
>> To: argus <at> lists.andrew.cmu.edu
>> Subject: argus installation
(Continue reading)

Permalink | Reply | 1 comment |
headers
Chas DiFatta | 1 Apr 2002 22:52

RE: argus installation

All you need is libpcap.a.  As I said, just compile and install
libpcap at the same directory level as Argus.  Cd into the argus
directory and to a,

	make clean
	./configure --without-sasl
	make

And you should be done.

	...cd

p.s. I'd install tcpwrappers at the same directory level, or at
     least put in a sym link pointing to it.

>-----Original Message-----
>From: Rahul Telang [mailto:rtelang <at> andrew.cmu.edu]
>Sent: Monday, April 01, 2002 12:43 PM
>To: chas <at> difatta.org; argus <at> lists.andrew.cmu.edu
>Subject: RE: argus installation
>
>
>thanks
>
>When I untar libpcap, there is no "lib" directory. There are "bpf", "lbl",
>"packaging", "sunos4" and "net" directories and tons of other .c or .h
>files. Which one should I copy to argus/lib. I notice that currently
>argus/lib is empty. I am able to configure libpcap but not install it. It
>gives some error in inet.c. I have untarred libpcap in in augus as well as
>root directory but the same error persists.
(Continue reading)

Permalink | Reply | 0 comments |
headers
Roy Hooper | 2 Apr 2002 01:51
Picon

Graphing methodology

I am using RRDtool to graph per-IP flow data, and wanted to verify my
methodology is sound  -- that is, the graph is representational of reality.

- I am gathering all data from the network at the egres point using argus and
archiving the files captured hourly.
- I am running ragator -c -n -G -f ipstats.conf <filter> to aggregate the flows
for 300-second intervals
- I am using the end time, IPs and in/out bytes and merging multiple instances
for the desired IP into buckets for every ceil(time/300)*300.
- I am plotting that using an absolute dataset in RRDtool.

The resulting plots appear to be fairly accurate.

---
Roy Hooper
Permalink | Reply | 1 comment |
headers
Mark Poepping | 2 Apr 2002 03:53
Picon
Favicon

RE: Graphing methodology


If you'd be willing to contribute the scripts and maybe the config you
use for rrd linkage, I think that may be very valuable for folks.
Either as attachments to the list or perhaps better as direct
contribution to qosient for the next release.
Mark.

> -----Original Message-----
> From: owner-argus-info <at> lists.andrew.cmu.edu [mailto:owner-argus-
> info <at> lists.andrew.cmu.edu] On Behalf Of Roy Hooper
> Sent: Monday, April 01, 2002 6:51 PM
> To: argus-info <at> lists.andrew.cmu.edu
> Subject: Graphing methodology
> 
> I am using RRDtool to graph per-IP flow data, and wanted to verify my
> methodology is sound  -- that is, the graph is representational of
> reality.
> 
> - I am gathering all data from the network at the egres point using
argus
> and
> archiving the files captured hourly.
> - I am running ragator -c -n -G -f ipstats.conf <filter> to aggregate
the
> flows
> for 300-second intervals
> - I am using the end time, IPs and in/out bytes and merging multiple
> instances
> for the desired IP into buckets for every ceil(time/300)*300.
> - I am plotting that using an absolute dataset in RRDtool.
(Continue reading)

Permalink | Reply | 0 comments |
headers
mukesh agrawal | 6 Apr 2002 05:52

argus records


Hi,

I'm trying to understand some Argus dump files that I have. I've looked at
the web site and through the mailing list archives, but couldn't find the
answer to my question.

I'm looking at flows that were captured with argus, and converted to XML
with raxml. The specific question I have is "what does the
ArgusFlowRecord.Metrics.SrcAppBytes field mean?"

The reason I ask is that I have some flows in my capture for which the
SrcAppBytes value is greater than the
ArgusFlowRecord.ExtFlow.TcpExtMetrics.SrcTcpBytes value (and similarly for
DstAppBytes and DstTcpBytes). It isn't clear to me what to make of such
records.

A second question is what the meaning of the
Metrics.ArgusAgrData.Count.{Packet,Transaction} fields are.

Or a more general question: is there documentation on what the fields in
the Argus records mean?

Thanks.
Permalink | Reply | 0 comments |
headers
Carter Bullard | 8 Apr 2002 16:51

RE: argus records

Hey Mukesh,
The answers to what all the fields mean are scattered
around, and there is a word document that describes them,
but its out of date.  I was hoping that they were all
self explanatory ;o)  Let me answer your specific questions,
and then I'm headed for breakfast.

If we do this enough, we'll get all the field described, 
so please keep those questions coming!

The bytes fields that are in the <Metrics> tag are all
derived from the length of the packet received on the wire.
The bytes fields that are in the <Extended TCP Metrics> tag
are all derived from the TCP headers, so there can be some
discrepancies, although they should be minor.

The AppBytes fields contain the number of bytes above the
transport layer for this flow, so its basically
(totalbytes - (MACHdr + IP_Hdr + TransHdr)).

The TcpByte field is the number of bytes declared in the
TCP header minus the TCP header length (TCPLen - TCPHdrLen).

The TcpAckBytes are the actual number of bytes acknowledged
by the receiver, so they are successful transported bytes.

AppBytes should always be equal to than TcpBytes (+-1), if all
the packets are seen by the Argus, and both should be greater than
TCPAckBytes, at least in theory, but there are situations where
these rules don't apply.  This is because the TCPByte and AppByte
(Continue reading)

Permalink | Reply | 0 comments |
headers
Peter Van Epp | 12 Apr 2002 22:04
Picon
Picon
Favicon

argus-2.0.5.beta.6

	With the following patch applied to include/compat.h all of
FreeBSD, OpenBSD and NetBSD are happy with argus-2.0.5.beta.6 (Open and Net
complain about redefinitions without the patch but both build successfully
anyway).

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

*** include/compat.h.orig	Fri Apr 12 00:41:57 2002
--- include/compat.h	Fri Apr 12 04:44:06 2002
***************
*** 166,171 ****
--- 166,172 ----

  /* Types missing from some systems */

+ #if !defined(__NetBSD__) && !defined(__OpenBSD__)
  #ifndef	ETHERTYPE_SPRITE
  #define	ETHERTYPE_SPRITE	0x0500
  #endif
***************
*** 267,270 ****
--- 268,272 ----
  #endif
  #ifndef	ETHERTYPE_LOOPBACK
  #define	ETHERTYPE_LOOPBACK	0x9000
+ #endif
  #endif
(Continue reading)

Permalink | Reply | 0 comments |

Gmane