headers
David Ressman | 2 Jan 2003 22:27

packet data capture in argus-clients.b37

Hi all,

I've been playing around with the argus-tools beta 37 package, and
everything appears to work well, except for one.  For some reason, 
it seems to be ignoring the user data capture fields when I ask it
to print them out with the "-d" option.

We make extensive use of this option in our production environment (an
argus-2.0.6b5 server feeding to an argus-2.0.6b1 client).

I installed the argus-clients package because there was lots of nifty
stuff in it that I wanted to try out, but when I tried to use the b37
ra client to read out an argus file written with the 2.0.6b1 client
(captured by the 2.0.6b5 server) with "ra -nr /some/argus.file -d 64",
I got all of the flow data, but the user data stuff just wasn't in the
output.

I tried using the b37 ra client to capture flow data from the 2.0.6b5
server, and that worked fine, but I still couldn't access any of the
user data, I know that the user data was definitely in the files
because I could read it with the 2.0.6b1 client.  I just can't get
the b37 client to see the data.

Does anyone have any ideas as to what's happening?

Thanks,

David

--

--
(Continue reading)

Permalink | Reply | 1 comment |
headers
Mark Poepping | 3 Jan 2003 00:44
Picon
Favicon

RE: packet data capture in argus-clients.b37


The options have changed in the newer clients (I forget offhand which version
changed them - b22 perhaps?).  Anyway, now there are a bunch of "-s" options
for ordering printed fields.  They are all documented in the new manpages, but
you'll need to change your scripts (or alias the options you want).  All in
all, the new options are *much* more powerful and useful, but the change is a
bit confusing if you didn't get round to reading the 'ChangeLog' (to know what
manpages to diff:-)..

Mark.

> -----Original Message-----
> From: owner-argus-info <at> lists.andrew.cmu.edu [mailto:owner-argus-
> info <at> lists.andrew.cmu.edu] On Behalf Of David Ressman
> Sent: Thursday, January 02, 2003 4:28 PM
> To: argus-info <at> lists.andrew.cmu.edu
> Subject: packet data capture in argus-clients.b37
> 
> Hi all,
> 
> I've been playing around with the argus-tools beta 37 package, and
> everything appears to work well, except for one.  For some reason,
> it seems to be ignoring the user data capture fields when I ask it
> to print them out with the "-d" option.
> 
> We make extensive use of this option in our production environment (an
> argus-2.0.6b5 server feeding to an argus-2.0.6b1 client).
> 
> I installed the argus-clients package because there was lots of nifty
> stuff in it that I wanted to try out, but when I tried to use the b37
(Continue reading)

Permalink | Reply | 0 comments |
headers
Carter Bullard | 3 Jan 2003 01:31

RE: packet data capture in argus-clients.b37


Hey David,
   Hope you had a great holiday!   Yes, Mark is correct,
you need to specify the user data field either in the
.rarc file or on the command line.   If you just want to
tack the data to the end of the default record, use:

   ra -s +user -r datafile

If you just want the user data and nothing else:

   ra -s user -r datafile

and of course if you wanted something like, startime,
src <-> dst host, dst port and user data:

   ra -s startime saddr dir daddr dport user -r datafile

The default is to use ascii encoding and 32 bytes, I
believe.  Still use the -d[sd]x to specify other byte
values.

Carter

> -----Original Message-----
> From: owner-argus-info <at> lists.andrew.cmu.edu 
> [mailto:owner-argus-info <at> lists.andrew.cmu.edu] On Behalf Of 
> Mark Poepping
> Sent: Thursday, January 02, 2003 6:45 PM
> To: 'David Ressman'
(Continue reading)

Permalink | Reply | 0 comments |
headers
Andrew Pollock | 7 Jan 2003 03:30
Picon
Favicon

Problems extracting time-specific records

Hi,

I'm using the 2.0.6.beta.37 clients, and I've got an argus log that 
contains data between:

startime: 2003-01-06 06:25:08.287736
endtime:  2003-01-07 06:26:11.708660

(Debian rotates its logs at 6:25am) and I want to extract all the records 
from 2003-01-06

I invoke ra thusly: 

ra -w - -r argus.log.1 -t 01/06 | racount
and am told that the resulting number of records is 925, which is way too 
low.

If I do this:

ra -F /tmp/ra.conf -r argus.log.1 | cut -d',' -f1,2 | grep "06-01-03" | wc -l

(ra.conf is setting the date format to be dd-mm-yy and using commas as 
delimiters)

I get 2845662 lines back, which is a bit more like the number of records 
I'd expect to get back. I can do other visual inspections of the ASCII 
output, and I'm certainly not seeing records from the 6th of January when 
I use the -t option, but they are there if I look at the entire file.

Have I found a bug?
(Continue reading)

Permalink | Reply | 0 comments |
headers
Carter Bullard | 7 Jan 2003 14:40

RE: Problems extracting time-specific records

Hey Andrew,
   Well it definitely seems that its not returning
what you expect it to.  One way to test is to see what
an explicit range for the whole day would return.

   ra -w - -r argus.log.1 -t 01/06-01/07 | racount

If we get a discrepancy, then we may have a bug.

Carter

> -----Original Message-----
> From: owner-argus-info <at> lists.andrew.cmu.edu 
> [mailto:owner-argus-info <at> lists.andrew.cmu.edu] On Behalf Of 
> Andrew Pollock
> Sent: Monday, January 06, 2003 9:30 PM
> To: argus-info <at> lists.andrew.cmu.edu
> Subject: Problems extracting time-specific records
> 
> 
> Hi,
> 
> I'm using the 2.0.6.beta.37 clients, and I've got an argus log that 
> contains data between:
> 
> startime: 2003-01-06 06:25:08.287736
> endtime:  2003-01-07 06:26:11.708660
> 
> (Debian rotates its logs at 6:25am) and I want to extract all 
> the records
(Continue reading)

Permalink | Reply | 2 comments |
headers
Andrew Pollock | 8 Jan 2003 00:07
Picon
Favicon

Re: Problems extracting time-specific records

On Tue, Jan 07, 2003 at 08:40:12AM -0500, Carter Bullard wrote:
> Hey Andrew,
>    Well it definitely seems that its not returning
> what you expect it to.  One way to test is to see what
> an explicit range for the whole day would return.
> 
>    ra -w - -r argus.log.1 -t 01/06-01/07 | racount
> 
> If we get a discrepancy, then we may have a bug.

Houston, we've got a problem...

ra -r argus.log.1 argus.log.2 -w 2003-01-07 -t 01/07
ra -r argus.log.1 -F /tmp/ra.conf | grep "07-01-03" | wc -l
1991324
ra -r argus.log.2 -F /tmp/ra.conf | grep "07-01-03" | wc -l
349732
racount -r 2003-01-07
racount    records       
    sum     350320       
ra -r argus.log.1 argus.log.2 -w - -t 01/07-01/08 | racount
racount    records       
    sum     350320       

You can see that it's only selecting a handful of records from argus.log.2 
for some reason, which is going to mean that my logs don't contain a full 
24 hours worth of traffic and I'm undercharging my clients. Better than 
overcharging I guess.

Andrew
(Continue reading)

Permalink | Reply | 1 comment |
headers
Andrew Pollock | 8 Jan 2003 00:49
Picon
Favicon

Re: Problems extracting time-specific records

On Wed, Jan 08, 2003 at 09:07:19AM +1000, Andrew Pollock wrote:

[snip]

> You can see that it's only selecting a handful of records from argus.log.2 
> for some reason, which is going to mean that my logs don't contain a full 

Sorry, that should have been handful of logs from argus.log.1
Permalink | Reply | 0 comments |
headers
Carter Bullard | 8 Jan 2003 01:18

RE: Problems extracting time-specific records

Hey Andrew,
   Well, it doesn't seem to be a time argument parsing
problem, since 01/07 and 01/07-01/08 returned the same
results.

   Is there any chance that you could share argus.log.1 & 2
for debugging purposes?  If there is a problem, this could
be a good use of ranonymize().

Carter

> -----Original Message-----
> From: owner-argus-info <at> lists.andrew.cmu.edu 
> [mailto:owner-argus-info <at> lists.andrew.cmu.edu] On Behalf Of 
> Andrew Pollock
> Sent: Tuesday, January 07, 2003 6:07 PM
> To: Carter Bullard
> Cc: argus-info <at> lists.andrew.cmu.edu
> Subject: Re: Problems extracting time-specific records
> 
> 
> On Tue, Jan 07, 2003 at 08:40:12AM -0500, Carter Bullard wrote:
> > Hey Andrew,
> >    Well it definitely seems that its not returning
> > what you expect it to.  One way to test is to see what
> > an explicit range for the whole day would return.
> > 
> >    ra -w - -r argus.log.1 -t 01/06-01/07 | racount
> > 
> > If we get a discrepancy, then we may have a bug.
(Continue reading)

Permalink | Reply | 0 comments |
headers
Carter Bullard | 9 Jan 2003 21:48

new argus-clients beta.37 on server

Gentle people,
   In the spirit of all new year's resolutions, a new beta
release of argus-clients is available as
 ftp://qosient.com/dev/argus-2.0/argus-clients-2.0.6.beta.37.tar.gz

This version fixes some major problems with time argument parsing
that occur, interestingly enough, when the year number changes.
Please give this version a whirl, and if it works out, I'll
incorporate the mods into the argus-2.0.6 release that I'm putting
out next week.

Hope all is well!

Carter
Permalink | Reply | 3 comments |
headers
Andrew Pollock | 9 Jan 2003 23:24
Picon
Favicon

Re: new argus-clients beta.37 on server

On Thu, Jan 09, 2003 at 03:48:09PM -0500, Carter Bullard wrote:
> Gentle people,
>    In the spirit of all new year's resolutions, a new beta
> release of argus-clients is available as
>  ftp://qosient.com/dev/argus-2.0/argus-clients-2.0.6.beta.37.tar.gz

Umm, should that be beta.38, since there's already been a 
(different) beta.37?

> This version fixes some major problems with time argument parsing
> that occur, interestingly enough, when the year number changes.
> Please give this version a whirl, and if it works out, I'll
> incorporate the mods into the argus-2.0.6 release that I'm putting
> out next week.

So what's the extent of the impact of that bug? Just data collected in 
2003?

> Hope all is well!
> 
> Carter
>
Permalink | Reply | 2 comments |

Gmane