Carter Bullard | 2 Aug 19:29 2002

RE: Established connections

Hey Wozz,
   "tcp and est and not \(fin or finack or reset\)"

you'll want to use ragator first to merge
all the flows together and then:

   ragator -w - -r file | ra tcp and est and not \(fin or finack or
reset\)

to pick out the open flows.

Carter

> -----Original Message-----
> From: owner-argus-info <at> lists.andrew.cmu.edu 
> [mailto:owner-argus-info <at> lists.andrew.cmu.edu] On Behalf Of 
> wozz <at> 0xdeadbeef.org
> Sent: Monday, July 29, 2002 1:57 PM
> To: argus-info <at> lists.andrew.cmu.edu
> Subject: Established connections
> 
> 
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> If my assumption is correct, The 'est' keyword in a filter is 
> going to show me flows that were established.  Is there a way 
> to only show flows that are CURRENTLY established?  In other 
> words, the connection was established, and no fin/rst has 
(Continue reading)

Carter Bullard | 2 Aug 19:29 2002

RE: Ragator 'flows'

Hey Russell,
   You are getting 10 records because you have a status timer
of 300 seconds in your flow description.  They are coming out
of ragator sorted in an order other than startime, so it looks
a little confusing, but you are getting 5 minute status reports
on your aggregated flow.  If you want to process the whole file
and generate only one record per aggregated flow, you should
have the status timer field be 0. 

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street
Suite 18K
New York, New York 10022

+1 212 588-9133 Phone
+1 212 588-9134 Fax

> -----Original Message-----
> From: owner-argus-info <at> lists.andrew.cmu.edu 
> [mailto:owner-argus-info <at> lists.andrew.cmu.edu] On Behalf Of 
> Russell Fulton
> Sent: Tuesday, July 30, 2002 10:40 PM
> To: argus-info <at> lists.andrew.cmu.edu
> Subject: Ragator 'flows'
> 
> 
> 
(Continue reading)

Carter Bullard | 2 Aug 19:29 2002

RE: Just plain confused (WAS RE: confused about racount)

Hey Andrew,
Use ramon to give you the data that you want.
If you want to see stats for all the services
(ie dst port based services):

   ramon -r file -M svc

If you want to see all the client server stats
for http traffic:

   ramon -r file -M matrix - dst port 80

or whatever port you are interested in.
if you want to know the in and out packets for
each client to a specific web server:

   ramon -r file -M topn - host server and port 80

ramon provides RMON style stats from argus data, and
it's a good introduction, since most people are expecting
RMON like data.  You will find that you move away from
these stats pretty quick, as there are much more
interesting information, like how many TCP connections
in the last hour, with initiator resets, how many .jpg
files were requested, that kind of thing.

For background info:

Argus data does generate a little confusion at first,
as it is a different way of looking at network traffic.
(Continue reading)

wozz+argus | 2 Aug 22:53 2002
Picon

Re: Established connections

On Fri, Aug 02, 2002 at 01:29:49PM -0400, Carter Bullard wrote:
> Hey Wozz,
>    "tcp and est and not \(fin or finack or reset\)"
> 
> you'll want to use ragator first to merge
> all the flows together and then:
> 
>    ragator -w - -r file | ra tcp and est and not \(fin or finack or
> reset\)
> 
> to pick out the open flows.
> 

Great, thanks!

Andrew Pollock | 5 Aug 07:09 2002
Picon

Argus logfile consistency checker?

Hi,

I had my test server crash the other day, and the argus.log file from that day
causes the r tools to segfault after reading partway through the file.

Is there any way I can salvage the usable portion of the logfile?

Andrew

Carter Bullard | 5 Aug 12:50 2002

RE: Argus logfile consistency checker?

Hey Andrew,
   You can save the file up to the error record by just
running ra:

   ra -r bad.file -w newfile

but we don't have anything for getting the rest of the
file.  If your file isn't too large ( < 100M) , I can
give recovery a try.  We haven't had that many corrupt
files to push for any recovery strategies, but it
shouldn't be that hard to do.

Any idea how the file got corrupted?  So far, 90%
of all corrupt files have been two argi writing to
the same file, which is not a good thing to do.

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street
Suite 18K
New York, New York 10022

+1 212 588-9133 Phone
+1 212 588-9134 Fax

> -----Original Message-----
> From: owner-argus-info <at> lists.andrew.cmu.edu 
> [mailto:owner-argus-info <at> lists.andrew.cmu.edu] On Behalf Of 
(Continue reading)

David J Brumley | 12 Aug 18:40 2002
Picon

ARGUS list archive

Hello All,
As you may know, I archive the argus mailing list at
http://www.theorygroup.com.  I also archive the YASSP and UNISOG
mailing list there also.

Securify has always been generous enough to provide the machine and
host the server.  Recently they've decided to discontinue this service
in order to cut costs.

Due to this event, I'm now looking for someone to recommend a low cost
colo, or perhaps volunteer a server to host this site or DNS zone.
I'd rather keep the site on a dedicated server, as it would be
embaressing to have the site inadvertantely hacked. In any case, you
may notice some down time as I move the service.

In other news, I no longer work for the Stanford security. I've chosen
to put my efforts into full time research with the CS department at
Stanford.  

Cheers,
David
--

-- 
David Brumley
650.723.2445

shadgun | 15 Aug 09:44 2002

Data Visualization

Hello All,

I am seeking options to visually display data that argus captures. 
The goal is some visual representation of the amount of P2P/IM traffic that
is passing through a given interface. A quick perusal of the mailing list 
unearthed several posibilities, however I don't see explicit detail on these...

I am capturing data using the following command-line:
/usr/local/sbin/argus -P 561 -U 128 -JRS 30 -w argus.out

I have attempted to use ragraph from the argus-clients package, but I
get the following message:
ragraph -M hourly -r argus.out - tcp and dst port 1080 or dst port 1214 or dst port 5517 or dst port 8000 or dst
port 8016 or dst port 8080 or dst port 8085 or dst port 8200 or dst port 8600
/usr/local/bin/ragraph: unable to update `/tmp/ragraph-histogram.rrd': illegal attempt to update
using time 0 when last update time is 1029232799 (minimum one second step)

I see that there is some mention of exporting this data to Excel, utilizing
excel.rc, but I don't seem to find that file in any of the packages I've
downloaded and compiled. (argus-2.0.5.tar.gz, argus-clients-2.xxxxx)

I've also seen that Dave Plonka's flow-scan is soon to support argus data, but the code doesn't seem to be
available and the README is dated Jan. of 2002.

Can anyone enlighten me as to the options that are currently available?

Andrew Pollock | 19 Aug 04:12 2002
Picon

Using Argus for data billing

Hi,

I'm evaluating the use of Argus for tracking data usage. We have two types of
clients we'd like to track useage for, clients with hosted webservers and
clients that receive connectivity through us.

We only charge for inbound data, but would be interested in seeing data sent and
received, just for statistical purposes.

If I'm understanding things correctly now (which may well not be the case), if I
wanted to see how much data was delivered to a webserver, I could go:

# ra -r argus.log - dst webserver

or to get a nice total

# racount -r argus.log - dst webserver

and look at the src bytes count.

Is my understanding of the use of racount correct?

How do other people on the list actually put argus to work for them? Anyone want
to share their implementation and usage stories?

regards

Andrew

(Continue reading)

Andrew Pollock | 19 Aug 04:37 2002
Picon

ra vs rasort

Hi,

should ra and rasort produce the same amount of output?

I was just fiddling around with rasort and noticed that it's not, i.e.:

# ra -r argus.log argus.log.1.gz | wc -l
23259

# rasort -r argus.log argus.log.1.gz | wc -l
22898

ra = 2.0.2.alpha9
rasort = 2.0.2.alpha9

Andrew


Gmane