Re: rahisto

The doc for rahisto() is incorrect.  ra() should always be the standard for what ra* programs should do, and
it is consistent?

Carter


Carter Bullard
QoSient LLC
150 E. 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax

-----Original Message-----
From: "CS Lee" <geek00l <at> gmail.com>

Date: Fri, 30 Nov 2007 13:36:37 
To:Argus <argus-info <at> lists.andrew.cmu.edu>
Subject: [ARGUS] rahisto


Hi Carter,

From what i understand, rate is pointing to pps and load is pointing to bps if I read the flow metric
correctly. I  do check on the code a bit and read the ra man page. 

I check out the rahisto man page today as I want to test something about it, and when I read  - 

[s|d]load      packets per second
[s|d]rate      bits per second

Re: Omitting data with dir = <?>

Hey Wolfgang,
   The ? is caused by not seeing the tcp syn or synack, so ...

   -- (syn or synack) or not tcp

Should do the trick.

Carter

Carter Bullard
QoSient LLC
150 E. 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax

-----Original Message-----
From: wob <at> swobspace.de (Wolfgang Barth)

Date: Fri, 30 Nov 2007 17:45:21 
To:argus-info <at> lists.andrew.cmu.edu
Subject: [ARGUS] Omitting data with dir = <?>

Hi,

I want to omit records with unknown direction (dir = <?>). How can I filter
out such records with ra?

Wolfgang
--

-- 

references requested

Dear All,

 

A non-technical request this time i'm looking for references, i.e. large (or small) companies which use argus as their network analyzer. You can contact me via the list or direct if you prefer.

 

Thanks in advance,

 

Willem.

racount

References

Argus dying off

I am trying to upgrade to Argus version 3.0.0. We have sucessfully run 
version 2 for years. It will run in daemon mode for up to a couple of 
hours before dying off. At this stage I dont know what may be causing 
the problem. The OS is RHEL 4.

At the moment I am trying to get debugging going to see what that turns 
up. Does this need to be turned on at compile time? If so is there a 
configure switch for this?

Any other hints at narrowing down our problem would be appreciated.

Thanks, Mark

--

-- 
Mark Borrie
Information Security Manager,
Information Technology Services, University of Otago,
Dunedin, N.Z.
Ph +64 3 479-8395, Fax +64 3 479-5080, Mobile +64 27 609-6409

Re: Argus dying off

On Thu, Dec 06, 2007 at 10:20:21AM +1300, Mark Borrie wrote:
> I am trying to upgrade to Argus version 3.0.0. We have sucessfully run 
> version 2 for years. It will run in daemon mode for up to a couple of 
> hours before dying off. At this stage I dont know what may be causing 
> the problem. The OS is RHEL 4.
> 
> At the moment I am trying to get debugging going to see what that turns 
> up. Does this need to be turned on at compile time? If so is there a 
> configure switch for this?
> 
> Any other hints at narrowing down our problem would be appreciated.
> 
> Thanks, Mark
> 
> 
> -- 
> Mark Borrie
> Information Security Manager,
> Information Technology Services, University of Otago,
> Dunedin, N.Z.
> Ph +64 3 479-8395, Fax +64 3 479-5080, Mobile +64 27 609-6409

	I'm assuming you have the latest code which looks to be 
argus-3.0.0.tar.gz Oct 19 14:03 and argus-clients-3.0.0.rc.63.tar.gz from
Nov  5 17:14 (which is I think where I last was as well). 
	To get debug information you need to touch ./devel and ./debug in the
source directory and then make clobber, ./configure and make. Before doing 
that you might want to look in syslog (/var/log/messages on SUSE) to see if 
the argus is syslogging why it died. When last I was running 3.0 (early 
November before my storage disk died) on clients.rc.62 probably, things had 
been stable on these versions for me. 
	Two things I did see on clients rc.63 is that Cisco netflow didn't seem
to be working (or I wasn't configuring it correctly) and removing the default
.threads file from the source directory didn't any more disable client threads
(which had been problematic for me in earlier rcs). I'm hoping to get some 
spare time to poke more some time soon but we will see ...
	Once the recompile is done then the -D flag on the clients will produce
debug logs (although they slow the client down a fair bit if you are on a fast
link that may cause difficulties) which can be redirected to a file to look at
after a failure.

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

Connection Tracking - MTU

argus-2.0.6 make fails on OpenBSD 4.2

Hi:

I'm trying to compile Argus on the latest version of OpenBSD.

#uname -a
OpenBSD securitytest01.example.com 4.2 GENERIC#375 i386

The make fails on ArgusSource.c:

#make
### Making in /usr/src/argus-2.0.6/common
### Done with /usr/src/argus-2.0.6/common
### Making in /usr/src/argus-2.0.6/server
gcc -O2 -I. -I/usr/include  -I../include -DPACKAGE_NAME=\"\" - 
DPACKAGE_TARNAME=\"\" -DPACKAGE_VERSION=\"\" -DPACKAGE_STRING=\"\" - 
DPACKAGE_BUGREPORT=\"\" -DSTDC_HEADERS=1 -DHAVE_SYS_TYPES_H=1 - 
DHAVE_SYS_STAT_H=1 -DHAVE_STDLIB_H=1 -DHAVE_STRING_H=1 - 
DHAVE_MEMORY_H=1 -DHAVE_STRINGS_H=1 -DHAVE_INTTYPES_H=1 - 
DHAVE_STDINT_H=1 -DHAVE_UNISTD_H=1 -DHAVE_SYS_SOCKIO_H=1 - 
DHAVE_STRING_H=1 -DHAVE_FCNTL_H=1 -DHAVE_SYS_FILE_H=1 - 
DHAVE_SYSLOG_H=1 -DHAVE_ETHER_HOSTTON=1 -DHAVE_STRERROR=1 - 
DCONFIG_X86_BSWAP=1 -DSTDC_HEADERS=1 -c ./ArgusSource.c
In file included from ArgusSource.c:763:
/usr/include/sys/mbuf.h:127: error: `MSIZE' undeclared here (not in a  
function)
/usr/include/sys/mbuf.h:130: error: `MSIZE' undeclared here (not in a  
function)
*** Error code 1

Stop in /usr/src/argus-2.0.6/server.
### Done with /usr/src/argus-2.0.6/server
#

I'm not sure what to do to fix this. Any help, please?
--

-- 
Freedom, truth, love, beauty.
John Rodenbiker

Re: Argus-info Digest, Vol 28, Issue 4