Argus Development mailing list - Real Time Flow Monitor (RTFM) for comprehensive IP network traffic auditing

Nick Diel | 8 Apr 01:40

Issues with -t option

I am trying to use the -t option and am not having much luck. I want to be able to specify a range down to the seconds, but I can't get a filter working more specific than a month. Also is it possible to specify time in UTC format for the -t option?

Regular output (I removed IP info), note this file is from last year.
[diel <at> lander-nic ~]$ ra -r argus.out
     2007/11/07-09:01:26.022023 e         *****
     2007/11/07-09:01:26.024221 e         *****
     2007/11/07-09:01:26.028978 e         *****
     2007/11/07-09:01:26.034025 e         *****
     2007/11/07-09:01:26.044853 e         *****

Non working time specifications.
[diel <at> lander-nic ~]$ ra -r argus.out -t 2007y11m7d
[diel <at> lander-nic ~]$ ra -r argus.out -t 2007y11m
[diel <at> lander-nic ~]$ ra -r argus.out -t 2007/11/07

Working time specifications
[diel <at> lander-nic ~]$ ra -r argus.out -t 2007/11
     2007/11/07-09:01:26.022023 e         *****
     2007/11/07-09:01:26.024221 e         *****
     2007/11/07-09:01:26.028978 e         *****
     2007/11/07-09:01:26.034025 e         *****
     2007/11/07-09:01:26.044853 e         *****
[diel <at> lander-nic ~]$ ra -r argus.out -t ****/11
     2007/11/07-09:01:26.022023 e         *****
     2007/11/07-09:01:26.024221 e         *****
     2007/11/07-09:01:26.028978 e         *****
     2007/11/07-09:01:26.034025 e         *****
     2007/11/07-09:01:26.044853 e         *****

Any thoughts?
Nick Diel

headers

Carter Bullard | 8 Apr 02:40

Re: Issues with -t option

Hey Nick,
Sounds like a bug.  What happens when you specify a valid range?
   "-t 12-13"
   "-t 06.12-06.13"

if you run it with a "-D 4" option, it should tell you what the unix
time range the time filter generates.

I think for month you need a 'M'?

Carter

anubis:common carter$ ra -D5 -t 12-13
ra[49162.a0052074]: 2008/04/07.20:37:21.768040 ArgusParseTime  
(0x32f000, 0x32f070, 0xa0053cc8,12,  ) retn 4: 1207584000
ra[49162.a0052074]: 2008/04/07.20:37:21.768128 ArgusParseTime  
(0x32f000, 0x32f09c, 0x32f070,13, -) retn 4: 1207587600
ra[49162.a0052074]: 2008/04/07.20:37:21.768176 ArgusCheckTimeFormat  
(0xa0053cc8, 12-13) retn 0: 1207584000-1207587600
ra[49162.a0052074]: 2008/04/07.20:37:21.768200 ArgusParseTimeArg  
(12-13, 4, 0xa0053cc8)
ra[49162.a0052074]: 2008/04/07.20:37:21.768291 ArgusAddFileList  
(0x32f000, -, 1, -1, -1) returning -1

anubis:common carter$ ra -D5 -t 12
ra[49163.a0052074]: 2008/04/07.20:37:25.920039 ArgusParseTime  
(0x32f000, 0x32f070, 0x32f09c,12,  ) retn 4: 1207584000
ra[49163.a0052074]: 2008/04/07.20:37:25.920111 ArgusCheckTimeFormat  
(0xa0053cc8, 12) retn 0: 1207584000-1207587600
ra[49163.a0052074]: 2008/04/07.20:37:25.920135 ArgusParseTimeArg (12,  
4, 0xa0053cc8)
ra[49163.a0052074]: 2008/04/07.20:37:25.920184 ArgusAddFileList  
(0x32f000, -, 1, -1, -1) returning -1

anubis:common carter$ ra -D5 -t 12m
ra[49180.a0052074]: 2008/04/07.20:39:21.244726 ArgusParseTime  
(0x32f000, 0x32f070, 0x32f09c,,  ) retn 5: 1207615161
ra[49180.a0052074]: 2008/04/07.20:39:21.244880 ArgusCheckTimeFormat  
(0xa0053cc8, 12m) retn 0: 1207613520-1207613580
ra[49180.a0052074]: 2008/04/07.20:39:21.244923 ArgusParseTimeArg (12m,  
4, 0xa0053cc8)
ra[49180.a0052074]: 2008/04/07.20:39:21.245022 ArgusAddFileList  
(0x32f000, -, 1, -1, -1) returning -1

anubis:common carter$ ra -D5 -t 06.12-06.13
ra[49143.a0052074]: 2008/04/07.20:35:56.829484 ArgusParseTime  
(0x32f000, 0x32f070, 0xa0053cc8,06,  ) retn 4: 1207497600
ra[49143.a0052074]: 2008/04/07.20:35:56.829669 ArgusParseTime  
(0x32f000, 0x32f09c, 0x32f070,06, -) retn 4: 1207501200
ra[49143.a0052074]: 2008/04/07.20:35:56.829766 ArgusCheckTimeFormat  
(0xa0053cc8, 06.12-06.13) retn 0: 1207497600-1207501200
ra[49143.a0052074]: 2008/04/07.20:35:56.829808 ArgusParseTimeArg  
(06.12-06.13, 4, 0xa0053cc8)

anubis:cmmon carter$ ra -D5 -t 2008/02/06.12-06.13
ra[49151.a0052074]: 2008/04/07.20:36:40.358480 ArgusParseTime  
(0x32f000, 0x32f070, 0xa0053cc8,2008,  ) retn 4: 1202317200
ra[49151.a0052074]: 2008/04/07.20:36:40.358661 ArgusParseTime  
(0x32f000, 0x32f09c, 0x32f070,06, -) retn 4: 1202320800
ra[49151.a0052074]: 2008/04/07.20:36:40.358756 ArgusCheckTimeFormat  
(0xa0053cc8, 2008/02/06.12-06.13) retn 0: 1202317200-1202320800
ra[49151.a0052074]: 2008/04/07.20:36:40.358798 ArgusParseTimeArg  
(2008/02/06.12-06.13, 4, 0xa0053cc8)

On Apr 7, 2008, at 7:40 PM, Nick Diel wrote:

> I am trying to use the -t option and am not having much luck.  I  
> want to be able to specify a range down to the seconds, but I can't  
> get a filter working more specific than a month.  Also is it  
> possible to specify time in UTC format for the -t option?
>
>
> Regular output (I removed IP info), note this file is from last year.
> [diel <at> lander-nic ~]$ ra -r argus.out
>      2007/11/07-09:01:26.022023  e         *****
>      2007/11/07-09:01:26.024221  e         *****
>      2007/11/07-09:01:26.028978  e         *****
>      2007/11/07-09:01:26.034025  e         *****
>      2007/11/07-09:01:26.044853  e         *****
>
>
> Non working time specifications.
> [diel <at> lander-nic ~]$ ra -r argus.out -t 2007y11m7d
> [diel <at> lander-nic ~]$ ra -r argus.out -t 2007y11m
> [diel <at> lander-nic ~]$ ra -r argus.out -t 2007/11/07
>
>
> Working time specifications
> [diel <at> lander-nic ~]$ ra -r argus.out -t 2007/11
>      2007/11/07-09:01:26.022023  e         *****
>      2007/11/07-09:01:26.024221  e         *****
>      2007/11/07-09:01:26.028978  e         *****
>      2007/11/07-09:01:26.034025  e         *****
>      2007/11/07-09:01:26.044853  e         *****
> [diel <at> lander-nic ~]$ ra -r argus.out -t ****/11
>      2007/11/07-09:01:26.022023  e         *****
>      2007/11/07-09:01:26.024221  e         *****
>      2007/11/07-09:01:26.028978  e         *****
>      2007/11/07-09:01:26.034025  e         *****
>      2007/11/07-09:01:26.044853  e         *****
>
>
> Any thoughts?
> Nick Diel

headers

Nick Diel | 8 Apr 18:33

Re: Issues with -t option

Carter,

The capital M is what I needed for some of the time filters, at the end of the day yesterday I was just coping what was in the man page (lower case m).

The filter 2007/11/07 produces a filter that is a day behind:
[diel <at> lander-nic ~]$ ra -D5 -t 2007/11/07
ra[3166.c046fcb7]: 10:25:13.134115 ArgusParseTime (0xb7f82008, 0xb7f82078, 0xb7f820a4,2007, ) retn 3: 1194332400
ra[3166.c046fcb7]: 10:25:13.134229 ArgusCheckTimeFormat (0xc8b2e0, 2007/11/07) retn 0: 1194332400-1194418800
ra[3166.c046fcb7]: 10:25:13.134271 ArgusParseTimeArg (2007/11/07, 4, 0xc8b2e0)
ra[3166.c046fcb7]: 10:25:13.134339 ArgusAddFileList (0xb7f82008, -, 1, -1, -1) returning -1

The filter 2007y11M7d is close, but an hour off (probably due to daylight savings)
[diel <at> lander-nic ~]$ ra -D5 -t 2007y11M7d
ra[3159.c056f4b7]: 10:20:54.380457 ArgusParseTime (0xb7f03008, 0xb7f03078, 0xb7f030a4,, ) retn 3: 1207671654
ra[3159.c056f4b7]: 10:20:54.380566 ArgusCheckTimeFormat (0xc8b2e0, 2007y11M7d) retn 0: 1194415200-1194501600
ra[3159.c056f4b7]: 10:20:54.380614 ArgusParseTimeArg (2007y11M7d, 4, 0xc8b2e0)
ra[3159.c056f4b7]: 10:20:54.380663 ArgusAddFileList (0xb7f03008, -, 1, -1, -1) returning -1

It used MST(-6 GMT) which is correct for right now, but not for November should be -7 GMT.

More specific filters seems to be working great. Would love for a way to input UTC timestamps or even just a raw time range UTC-UTC, didn't see any indication this was currently possible.

Thanks for the input!

Nick

On Mon, Apr 7, 2008 at 6:40 PM, Carter Bullard <carter <at> qosient.com> wrote:

Hey Nick,
Sounds like a bug. What happens when you specify a valid range?
"-t 12-13"
"-t 06.12-06.13"

if you run it with a "-D 4" option, it should tell you what the unix
time range the time filter generates.

I think for month you need a 'M'?

Carter

anubis:common carter$ ra -D5 -t 12-13
ra[49162.a0052074]: 2008/04/07.20:37:21.768040 ArgusParseTime (0x32f000, 0x32f070, 0xa0053cc8,12, ) retn 4: 1207584000
ra[49162.a0052074]: 2008/04/07.20:37:21.768128 ArgusParseTime (0x32f000, 0x32f09c, 0x32f070,13, -) retn 4: 1207587600
ra[49162.a0052074]: 2008/04/07.20:37:21.768176 ArgusCheckTimeFormat (0xa0053cc8, 12-13) retn 0: 1207584000-1207587600
ra[49162.a0052074]: 2008/04/07.20:37:21.768200 ArgusParseTimeArg (12-13, 4, 0xa0053cc8)
ra[49162.a0052074]: 2008/04/07.20:37:21.768291 ArgusAddFileList (0x32f000, -, 1, -1, -1) returning -1

anubis:common carter$ ra -D5 -t 12
ra[49163.a0052074]: 2008/04/07.20:37:25.920039 ArgusParseTime (0x32f000, 0x32f070, 0x32f09c,12, ) retn 4: 1207584000
ra[49163.a0052074]: 2008/04/07.20:37:25.920111 ArgusCheckTimeFormat (0xa0053cc8, 12) retn 0: 1207584000-1207587600
ra[49163.a0052074]: 2008/04/07.20:37:25.920135 ArgusParseTimeArg (12, 4, 0xa0053cc8)
ra[49163.a0052074]: 2008/04/07.20:37:25.920184 ArgusAddFileList (0x32f000, -, 1, -1, -1) returning -1

anubis:common carter$ ra -D5 -t 12m
ra[49180.a0052074]: 2008/04/07.20:39:21.244726 ArgusParseTime (0x32f000, 0x32f070, 0x32f09c,, ) retn 5: 1207615161
ra[49180.a0052074]: 2008/04/07.20:39:21.244880 ArgusCheckTimeFormat (0xa0053cc8, 12m) retn 0: 1207613520-1207613580
ra[49180.a0052074]: 2008/04/07.20:39:21.244923 ArgusParseTimeArg (12m, 4, 0xa0053cc8)
ra[49180.a0052074]: 2008/04/07.20:39:21.245022 ArgusAddFileList (0x32f000, -, 1, -1, -1) returning -1

anubis:common carter$ ra -D5 -t 06.12-06.13
ra[49143.a0052074]: 2008/04/07.20:35:56.829484 ArgusParseTime (0x32f000, 0x32f070, 0xa0053cc8,06, ) retn 4: 1207497600
ra[49143.a0052074]: 2008/04/07.20:35:56.829669 ArgusParseTime (0x32f000, 0x32f09c, 0x32f070,06, -) retn 4: 1207501200
ra[49143.a0052074]: 2008/04/07.20:35:56.829766 ArgusCheckTimeFormat (0xa0053cc8, 06.12-06.13) retn 0: 1207497600-1207501200
ra[49143.a0052074]: 2008/04/07.20:35:56.829808 ArgusParseTimeArg (06.12-06.13, 4, 0xa0053cc8)

anubis:cmmon carter$ ra -D5 -t 2008/02/06.12-06.13
ra[49151.a0052074]: 2008/04/07.20:36:40.358480 ArgusParseTime (0x32f000, 0x32f070, 0xa0053cc8,2008, ) retn 4: 1202317200
ra[49151.a0052074]: 2008/04/07.20:36:40.358661 ArgusParseTime (0x32f000, 0x32f09c, 0x32f070,06, -) retn 4: 1202320800
ra[49151.a0052074]: 2008/04/07.20:36:40.358756 ArgusCheckTimeFormat (0xa0053cc8, 2008/02/06.12-06.13) retn 0: 1202317200-1202320800
ra[49151.a0052074]: 2008/04/07.20:36:40.358798 ArgusParseTimeArg (2008/02/06.12-06.13, 4, 0xa0053cc8)

On Apr 7, 2008, at 7:40 PM, Nick Diel wrote:

I am trying to use the -t option and am not having much luck. I want to be able to specify a range down to the seconds, but I can't get a filter working more specific than a month. Also is it possible to specify time in UTC format for the -t option?

Regular output (I removed IP info), note this file is from last year.
[diel <at> lander-nic ~]$ ra -r argus.out
2007/11/07-09:01:26.022023 e *****
2007/11/07-09:01:26.024221 e *****
2007/11/07-09:01:26.028978 e *****
2007/11/07-09:01:26.034025 e *****
2007/11/07-09:01:26.044853 e *****

Non working time specifications.
[diel <at> lander-nic ~]$ ra -r argus.out -t 2007y11m7d
[diel <at> lander-nic ~]$ ra -r argus.out -t 2007y11m
[diel <at> lander-nic ~]$ ra -r argus.out -t 2007/11/07

Working time specifications
[diel <at> lander-nic ~]$ ra -r argus.out -t 2007/11
2007/11/07-09:01:26.022023 e *****
2007/11/07-09:01:26.024221 e *****
2007/11/07-09:01:26.028978 e *****
2007/11/07-09:01:26.034025 e *****
2007/11/07-09:01:26.044853 e *****
[diel <at> lander-nic ~]$ ra -r argus.out -t ****/11
2007/11/07-09:01:26.022023 e *****
2007/11/07-09:01:26.024221 e *****
2007/11/07-09:01:26.028978 e *****
2007/11/07-09:01:26.034025 e *****
2007/11/07-09:01:26.044853 e *****

Any thoughts?
Nick Diel

headers

Carter Bullard | 8 Apr 19:21

Re: Issues with -t option

Hmmmm, yes I get the same error you do for the 2007/11/07.

I'll investigate and I'll add using UTC to the command line.

Carter

On Apr 8, 2008, at 12:33 PM, Nick Diel wrote:

Carter,

The capital M is what I needed for some of the time filters, at the end of the day yesterday I was just coping what was in the man page (lower case m).

The filter 2007/11/07 produces a filter that is a day behind:
[diel <at> lander-nic ~]$ ra -D5 -t 2007/11/07
ra[3166.c046fcb7]: 10:25:13.134115 ArgusParseTime (0xb7f82008, 0xb7f82078, 0xb7f820a4,2007, ) retn 3: 1194332400
ra[3166.c046fcb7]: 10:25:13.134229 ArgusCheckTimeFormat (0xc8b2e0, 2007/11/07) retn 0: 1194332400-1194418800
ra[3166.c046fcb7]: 10:25:13.134271 ArgusParseTimeArg (2007/11/07, 4, 0xc8b2e0)
ra[3166.c046fcb7]: 10:25:13.134339 ArgusAddFileList (0xb7f82008, -, 1, -1, -1) returning -1

The filter 2007y11M7d is close, but an hour off (probably due to daylight savings)
[diel <at> lander-nic ~]$ ra -D5 -t 2007y11M7d
ra[3159.c056f4b7]: 10:20:54.380457 ArgusParseTime (0xb7f03008, 0xb7f03078, 0xb7f030a4,, ) retn 3: 1207671654
ra[3159.c056f4b7]: 10:20:54.380566 ArgusCheckTimeFormat (0xc8b2e0, 2007y11M7d) retn 0: 1194415200-1194501600
ra[3159.c056f4b7]: 10:20:54.380614 ArgusParseTimeArg (2007y11M7d, 4, 0xc8b2e0)
ra[3159.c056f4b7]: 10:20:54.380663 ArgusAddFileList (0xb7f03008, -, 1, -1, -1) returning -1

It used MST(-6 GMT) which is correct for right now, but not for November should be -7 GMT.

More specific filters seems to be working great. Would love for a way to input UTC timestamps or even just a raw time range UTC-UTC, didn't see any indication this was currently possible.

Thanks for the input!

Nick

On Mon, Apr 7, 2008 at 6:40 PM, Carter Bullard <carter <at> qosient.com> wrote:
Hey Nick,
Sounds like a bug. What happens when you specify a valid range?
"-t 12-13"
"-t 06.12-06.13"

if you run it with a "-D 4" option, it should tell you what the unix
time range the time filter generates.

I think for month you need a 'M'?

Carter

anubis:common carter$ ra -D5 -t 12-13
ra[49162.a0052074]: 2008/04/07.20:37:21.768040 ArgusParseTime (0x32f000, 0x32f070, 0xa0053cc8,12, ) retn 4: 1207584000
ra[49162.a0052074]: 2008/04/07.20:37:21.768128 ArgusParseTime (0x32f000, 0x32f09c, 0x32f070,13, -) retn 4: 1207587600
ra[49162.a0052074]: 2008/04/07.20:37:21.768176 ArgusCheckTimeFormat (0xa0053cc8, 12-13) retn 0: 1207584000-1207587600
ra[49162.a0052074]: 2008/04/07.20:37:21.768200 ArgusParseTimeArg (12-13, 4, 0xa0053cc8)
ra[49162.a0052074]: 2008/04/07.20:37:21.768291 ArgusAddFileList (0x32f000, -, 1, -1, -1) returning -1

anubis:common carter$ ra -D5 -t 12
ra[49163.a0052074]: 2008/04/07.20:37:25.920039 ArgusParseTime (0x32f000, 0x32f070, 0x32f09c,12, ) retn 4: 1207584000
ra[49163.a0052074]: 2008/04/07.20:37:25.920111 ArgusCheckTimeFormat (0xa0053cc8, 12) retn 0: 1207584000-1207587600
ra[49163.a0052074]: 2008/04/07.20:37:25.920135 ArgusParseTimeArg (12, 4, 0xa0053cc8)
ra[49163.a0052074]: 2008/04/07.20:37:25.920184 ArgusAddFileList (0x32f000, -, 1, -1, -1) returning -1

anubis:common carter$ ra -D5 -t 12m
ra[49180.a0052074]: 2008/04/07.20:39:21.244726 ArgusParseTime (0x32f000, 0x32f070, 0x32f09c,, ) retn 5: 1207615161
ra[49180.a0052074]: 2008/04/07.20:39:21.244880 ArgusCheckTimeFormat (0xa0053cc8, 12m) retn 0: 1207613520-1207613580
ra[49180.a0052074]: 2008/04/07.20:39:21.244923 ArgusParseTimeArg (12m, 4, 0xa0053cc8)
ra[49180.a0052074]: 2008/04/07.20:39:21.245022 ArgusAddFileList (0x32f000, -, 1, -1, -1) returning -1

anubis:common carter$ ra -D5 -t 06.12-06.13
ra[49143.a0052074]: 2008/04/07.20:35:56.829484 ArgusParseTime (0x32f000, 0x32f070, 0xa0053cc8,06, ) retn 4: 1207497600
ra[49143.a0052074]: 2008/04/07.20:35:56.829669 ArgusParseTime (0x32f000, 0x32f09c, 0x32f070,06, -) retn 4: 1207501200
ra[49143.a0052074]: 2008/04/07.20:35:56.829766 ArgusCheckTimeFormat (0xa0053cc8, 06.12-06.13) retn 0: 1207497600-1207501200
ra[49143.a0052074]: 2008/04/07.20:35:56.829808 ArgusParseTimeArg (06.12-06.13, 4, 0xa0053cc8)

anubis:cmmon carter$ ra -D5 -t 2008/02/06.12-06.13
ra[49151.a0052074]: 2008/04/07.20:36:40.358480 ArgusParseTime (0x32f000, 0x32f070, 0xa0053cc8,2008, ) retn 4: 1202317200
ra[49151.a0052074]: 2008/04/07.20:36:40.358661 ArgusParseTime (0x32f000, 0x32f09c, 0x32f070,06, -) retn 4: 1202320800
ra[49151.a0052074]: 2008/04/07.20:36:40.358756 ArgusCheckTimeFormat (0xa0053cc8, 2008/02/06.12-06.13) retn 0: 1202317200-1202320800
ra[49151.a0052074]: 2008/04/07.20:36:40.358798 ArgusParseTimeArg (2008/02/06.12-06.13, 4, 0xa0053cc8)

On Apr 7, 2008, at 7:40 PM, Nick Diel wrote:

I am trying to use the -t option and am not having much luck. I want to be able to specify a range down to the seconds, but I can't get a filter working more specific than a month. Also is it possible to specify time in UTC format for the -t option?

Regular output (I removed IP info), note this file is from last year.
[diel <at> lander-nic ~]$ ra -r argus.out
2007/11/07-09:01:26.022023 e *****
2007/11/07-09:01:26.024221 e *****
2007/11/07-09:01:26.028978 e *****
2007/11/07-09:01:26.034025 e *****
2007/11/07-09:01:26.044853 e *****

Non working time specifications.
[diel <at> lander-nic ~]$ ra -r argus.out -t 2007y11m7d
[diel <at> lander-nic ~]$ ra -r argus.out -t 2007y11m
[diel <at> lander-nic ~]$ ra -r argus.out -t 2007/11/07

Working time specifications
[diel <at> lander-nic ~]$ ra -r argus.out -t 2007/11
2007/11/07-09:01:26.022023 e *****
2007/11/07-09:01:26.024221 e *****
2007/11/07-09:01:26.028978 e *****
2007/11/07-09:01:26.034025 e *****
2007/11/07-09:01:26.044853 e *****
[diel <at> lander-nic ~]$ ra -r argus.out -t ****/11
2007/11/07-09:01:26.022023 e *****
2007/11/07-09:01:26.024221 e *****
2007/11/07-09:01:26.028978 e *****
2007/11/07-09:01:26.034025 e *****
2007/11/07-09:01:26.044853 e *****

Any thoughts?
Nick Diel

headers

Nick Diel | 8 Apr 20:23

Flow Counting

I am interested in counting number of flows for things such as source address, IP pairs, time intervals, etc. This is closely related to Stéphane Peters email: "Counting flows by time interval in argus."

After using racluster to merge status flow records, you have a file where a record represents a flow. You can of course use racount with a filter to tell you some of this information, but it seem quite impractical to do things such as find the IP pair generating the most flows. You could also use a set of pipes or scripts (as Stéphane Peters showed us), but this would require modification every time you wanted something slightly different.

Maybe there is a way using ra tools to do this already and I am missing it. If not maybe we can get racluster (when specified) or another tool to "zero out"/set the trans count to 1 after we have merged status flow records. This way things such as racluster -r megredRecords.argus -m saddr -s +trans will now list how many flows for each source address.

I am curious what the group has to say about this. Is something like this already possible? Is this information useful to other people than me? Would modifying the trans column present too much ambiguity, i.e. "under these circumstances the trans column can represent number of flows else it represents aggregated record count"?

Nick

headers

Carter Bullard | 8 Apr 20:59

Re: Issues with -t option

Hey Nick,

So I figured out the problem. When we push the time filter into a time zone

that is different than the current one (EST -> EDT), I was not correcting all

the fields that needed to be corrected. In the example 2007/11/07, if you

are in EDT and convert to this date, the returned value is 2007/11/06.23:00:00.

I was not adjusting for a possible change of day, in this case, so we got a

day behind.

I've also added UTC as input for time. I'll have it upload later today.

Carter

On Apr 8, 2008, at 1:21 PM, Carter Bullard wrote:

Hmmmm, yes I get the same error you do for the 2007/11/07.
I'll investigate and I'll add using UTC to the command line.

Carter

On Apr 8, 2008, at 12:33 PM, Nick Diel wrote:
Carter,

The capital M is what I needed for some of the time filters, at the end of the day yesterday I was just coping what was in the man page (lower case m).

The filter 2007/11/07 produces a filter that is a day behind:
[diel <at> lander-nic ~]$ ra -D5 -t 2007/11/07
ra[3166.c046fcb7]: 10:25:13.134115 ArgusParseTime (0xb7f82008, 0xb7f82078, 0xb7f820a4,2007, ) retn 3: 1194332400
ra[3166.c046fcb7]: 10:25:13.134229 ArgusCheckTimeFormat (0xc8b2e0, 2007/11/07) retn 0: 1194332400-1194418800
ra[3166.c046fcb7]: 10:25:13.134271 ArgusParseTimeArg (2007/11/07, 4, 0xc8b2e0)
ra[3166.c046fcb7]: 10:25:13.134339 ArgusAddFileList (0xb7f82008, -, 1, -1, -1) returning -1

The filter 2007y11M7d is close, but an hour off (probably due to daylight savings)
[diel <at> lander-nic ~]$ ra -D5 -t 2007y11M7d
ra[3159.c056f4b7]: 10:20:54.380457 ArgusParseTime (0xb7f03008, 0xb7f03078, 0xb7f030a4,, ) retn 3: 1207671654
ra[3159.c056f4b7]: 10:20:54.380566 ArgusCheckTimeFormat (0xc8b2e0, 2007y11M7d) retn 0: 1194415200-1194501600
ra[3159.c056f4b7]: 10:20:54.380614 ArgusParseTimeArg (2007y11M7d, 4, 0xc8b2e0)
ra[3159.c056f4b7]: 10:20:54.380663 ArgusAddFileList (0xb7f03008, -, 1, -1, -1) returning -1

It used MST(-6 GMT) which is correct for right now, but not for November should be -7 GMT.

More specific filters seems to be working great. Would love for a way to input UTC timestamps or even just a raw time range UTC-UTC, didn't see any indication this was currently possible.

Thanks for the input!

Nick

On Mon, Apr 7, 2008 at 6:40 PM, Carter Bullard <carter <at> qosient.com> wrote:
Hey Nick,
Sounds like a bug. What happens when you specify a valid range?
"-t 12-13"
"-t 06.12-06.13"

if you run it with a "-D 4" option, it should tell you what the unix
time range the time filter generates.

I think for month you need a 'M'?

Carter

anubis:common carter$ ra -D5 -t 12-13
ra[49162.a0052074]: 2008/04/07.20:37:21.768040 ArgusParseTime (0x32f000, 0x32f070, 0xa0053cc8,12, ) retn 4: 1207584000
ra[49162.a0052074]: 2008/04/07.20:37:21.768128 ArgusParseTime (0x32f000, 0x32f09c, 0x32f070,13, -) retn 4: 1207587600
ra[49162.a0052074]: 2008/04/07.20:37:21.768176 ArgusCheckTimeFormat (0xa0053cc8, 12-13) retn 0: 1207584000-1207587600
ra[49162.a0052074]: 2008/04/07.20:37:21.768200 ArgusParseTimeArg (12-13, 4, 0xa0053cc8)
ra[49162.a0052074]: 2008/04/07.20:37:21.768291 ArgusAddFileList (0x32f000, -, 1, -1, -1) returning -1

anubis:common carter$ ra -D5 -t 12
ra[49163.a0052074]: 2008/04/07.20:37:25.920039 ArgusParseTime (0x32f000, 0x32f070, 0x32f09c,12, ) retn 4: 1207584000
ra[49163.a0052074]: 2008/04/07.20:37:25.920111 ArgusCheckTimeFormat (0xa0053cc8, 12) retn 0: 1207584000-1207587600
ra[49163.a0052074]: 2008/04/07.20:37:25.920135 ArgusParseTimeArg (12, 4, 0xa0053cc8)
ra[49163.a0052074]: 2008/04/07.20:37:25.920184 ArgusAddFileList (0x32f000, -, 1, -1, -1) returning -1

anubis:common carter$ ra -D5 -t 12m
ra[49180.a0052074]: 2008/04/07.20:39:21.244726 ArgusParseTime (0x32f000, 0x32f070, 0x32f09c,, ) retn 5: 1207615161
ra[49180.a0052074]: 2008/04/07.20:39:21.244880 ArgusCheckTimeFormat (0xa0053cc8, 12m) retn 0: 1207613520-1207613580
ra[49180.a0052074]: 2008/04/07.20:39:21.244923 ArgusParseTimeArg (12m, 4, 0xa0053cc8)
ra[49180.a0052074]: 2008/04/07.20:39:21.245022 ArgusAddFileList (0x32f000, -, 1, -1, -1) returning -1

anubis:common carter$ ra -D5 -t 06.12-06.13
ra[49143.a0052074]: 2008/04/07.20:35:56.829484 ArgusParseTime (0x32f000, 0x32f070, 0xa0053cc8,06, ) retn 4: 1207497600
ra[49143.a0052074]: 2008/04/07.20:35:56.829669 ArgusParseTime (0x32f000, 0x32f09c, 0x32f070,06, -) retn 4: 1207501200
ra[49143.a0052074]: 2008/04/07.20:35:56.829766 ArgusCheckTimeFormat (0xa0053cc8, 06.12-06.13) retn 0: 1207497600-1207501200
ra[49143.a0052074]: 2008/04/07.20:35:56.829808 ArgusParseTimeArg (06.12-06.13, 4, 0xa0053cc8)

anubis:cmmon carter$ ra -D5 -t 2008/02/06.12-06.13
ra[49151.a0052074]: 2008/04/07.20:36:40.358480 ArgusParseTime (0x32f000, 0x32f070, 0xa0053cc8,2008, ) retn 4: 1202317200
ra[49151.a0052074]: 2008/04/07.20:36:40.358661 ArgusParseTime (0x32f000, 0x32f09c, 0x32f070,06, -) retn 4: 1202320800
ra[49151.a0052074]: 2008/04/07.20:36:40.358756 ArgusCheckTimeFormat (0xa0053cc8, 2008/02/06.12-06.13) retn 0: 1202317200-1202320800
ra[49151.a0052074]: 2008/04/07.20:36:40.358798 ArgusParseTimeArg (2008/02/06.12-06.13, 4, 0xa0053cc8)

On Apr 7, 2008, at 7:40 PM, Nick Diel wrote:

I am trying to use the -t option and am not having much luck. I want to be able to specify a range down to the seconds, but I can't get a filter working more specific than a month. Also is it possible to specify time in UTC format for the -t option?

Regular output (I removed IP info), note this file is from last year.
[diel <at> lander-nic ~]$ ra -r argus.out
2007/11/07-09:01:26.022023 e *****
2007/11/07-09:01:26.024221 e *****
2007/11/07-09:01:26.028978 e *****
2007/11/07-09:01:26.034025 e *****
2007/11/07-09:01:26.044853 e *****

Non working time specifications.
[diel <at> lander-nic ~]$ ra -r argus.out -t 2007y11m7d
[diel <at> lander-nic ~]$ ra -r argus.out -t 2007y11m
[diel <at> lander-nic ~]$ ra -r argus.out -t 2007/11/07

Working time specifications
[diel <at> lander-nic ~]$ ra -r argus.out -t 2007/11
2007/11/07-09:01:26.022023 e *****
2007/11/07-09:01:26.024221 e *****
2007/11/07-09:01:26.028978 e *****
2007/11/07-09:01:26.034025 e *****
2007/11/07-09:01:26.044853 e *****
[diel <at> lander-nic ~]$ ra -r argus.out -t ****/11
2007/11/07-09:01:26.022023 e *****
2007/11/07-09:01:26.024221 e *****
2007/11/07-09:01:26.028978 e *****
2007/11/07-09:01:26.034025 e *****
2007/11/07-09:01:26.044853 e *****

Any thoughts?
Nick Diel

headers

Carter Bullard | 8 Apr 21:33

Re: Flow Counting

Hey Nick,
racluster() does this quite well.  When racluster() merges two  
records, for whatever reason,
it generates an aggregation statistic that keeps track of the number  
of records that are merged.
Use this to generate all the counts you would like.  The only trick is  
that if you use racluster()
to merge your data first, then this aggregation statistic already has  
values, and it needs to be
cleared.   You will want to remove that aggregation structure before  
you begin.

If you want to prep an entire directory of data, you can do this:
% rastrip -R dir -M replace -agr

This will remove the aggregation DSR from any record in any data file in
the entire directory struct.

If you can't, for whatever reason, delete the agr dsr, you can do it  
as a pipe.

% rastrip -r data.file -M -agr -w - - ip | racluster -m matrix -s  
saddr daddr trans

This will give you the number of transactions (or flows) for all the  
A's talking to B's in the file.

For things like time intervals, you should use rabins().

% rastrip -r data.file -M -agr -w - - ip | rabins -M soft time 10s -m  
srcid -s stime dur trans

This will give you the total flow every 10s, if there are any flows to  
report.  It will
force the startime and lasttime to coincide with the 10s time  
boundaries.

There are an infinite number of examples, so if this doesn't help,  
send more email.

Carter

On Apr 8, 2008, at 2:23 PM, Nick Diel wrote:

> I am interested in counting number of flows for things such as  
> source address, IP pairs, time intervals, etc.  This is closely  
> related to Stéphane Peters email: "Counting flows by time interval  
> in argus."
>
> After using racluster to merge status flow records, you have a file  
> where a record represents a flow.  You can of course use racount  
> with a filter to tell you some of this information, but it seem  
> quite impractical to do things such as find the IP pair generating  
> the most flows.  You could also use a set of pipes or scripts (as  
> Stéphane Peters showed us), but this would require modification  
> every time you wanted something slightly different.
>
> Maybe there is a way using ra tools to do this already and I am  
> missing it.  If not maybe we can get racluster (when specified) or  
> another tool to "zero out"/set the trans count to 1 after we have  
> merged status flow records.  This way things such as racluster -r  
> megredRecords.argus -m saddr -s +trans will now list how many flows  
> for each source address.
>
> I am curious what the group has to say about this.  Is something  
> like this already possible?  Is this information useful to other  
> people than me?  Would modifying the trans column present too much  
> ambiguity, i.e. "under these circumstances the trans column can  
> represent number of flows else it represents aggregated record count"?
>
>
> Nick
>

headers

jean-marc pouchoulon | 8 Apr 22:04

ragraph graph duration

Bonsoir,

I'm using ragraph 3.0.0 rc70 and I try to do graph duration

ragraph dur gave me back  usage message
but ragraph bytes with the same syntax  is ok

What I don't understand ?

Thanks.

jean-marc.

headers

Nick Diel | 8 Apr 23:18

Re: Counting flows by time interval in argus

I wanted to add in a solution Carter just showed me so it was part of this thread if anyone was searching.

This example assumes you have already merged status flow records, so records = flows, if not add another pipe of racluster.

rastrip -r $file -M -agr -w - | rabins -M soft time 10m -m srcid -s stime trans -c , -F raTime.conf > flowcounts.csv

raTime.conf contents (you could also add this to your rarc file):
RA_TIME_FORMAT="%H:%M"

If you have multiple collectors, you can have rabins merge on something else such as proto if you are filtering on tcp.

Nick

On Wed, Mar 26, 2008 at 1:04 PM, Stéphane Peters <stephane.peters <at> forem.be> wrote:

Hello,

Here is an example of counting flows I have just used,
to compare print flows seen by argus (filtered on port 9100)
with print requests seen by our batch server (found in a csv file).
Both lists have been feed in a spreadsheet to make a nice graphic comparison.

If someone sees a better way to do this within ra* clients without the unixes filters,
I will be happy to see how to do it.

Example saved on the wiki:
Count flows by groups of 10 minutes : show only the flow start times, cut after the 10ths of minutes, add a trailing zero and delete heading spaces to show a nice HH:MM line, count them, invert columns, insert a delimitor. Ready to be feed in your favorite spreadsheet.
ra -s stime -p 0 -nr $file |\
cut -c -7 |\
uniq -c | \
sed -e 's/$/0/' \
-e 's/^ *//' \
-e 's/$.*$ *$.*$/\2,\1/' > flowcounts.csv

Regards,

--
Stephane.Peters <at> forem.be, Postmaster <at> forem.be

headers

Nick Diel | 8 Apr 23:48

Re: ragraph graph duration

I think the keyword is dur, are you using that or duration?

ragraph -M dur -r file

Nick

On Tue, Apr 8, 2008 at 2:04 PM, jean-marc pouchoulon <jean-marc.pouchoulon <at> ac-montpellier.fr> wrote:

Bonsoir,

I'm using ragraph 3.0.0 rc70 and I try to do graph duration

ragraph dur gave me back usage message
but ragraph bytes with the same syntax is ok

What I don't understand ?

Thanks.

jean-marc.

29	February 2012
91	January 2012
52	December 2011
17	November 2011
30	October 2011
15	September 2011
39	August 2011
49	July 2011
61	June 2011
66	May 2011
82	April 2011
48	March 2011
52	February 2011
27	January 2011
42	December 2010
35	November 2010
72	October 2010
78	September 2010
48	August 2010
102	July 2010
50	June 2010
23	May 2010
61	April 2010
40	March 2010
50	February 2010
26	January 2010
32	December 2009
72	November 2009
48	October 2009
55	September 2009
115	August 2009
66	July 2009
36	June 2009
92	May 2009
122	April 2009
116	March 2009
58	February 2009
26	January 2009
15	December 2008
3	November 2008
3	October 2008
24	September 2008
38	August 2008
50	July 2008
62	June 2008
6	May 2008
61	April 2008
90	March 2008
151	February 2008
121	January 2008
67	December 2007
61	November 2007
120	October 2007
107	September 2007
143	August 2007
44	July 2007
91	June 2007
68	May 2007
82	April 2007
141	March 2007
123	February 2007
69	January 2007
50	December 2006
79	November 2006
113	October 2006
114	September 2006
131	August 2006
96	July 2006
270	June 2006
4	May 2006
4	April 2006
40	March 2006
31	February 2006
24	January 2006
14	December 2005
2	November 2005
1	October 2005
8	September 2005
25	August 2005
1	July 2005
14	June 2005
5	May 2005
25	April 2005
24	March 2005
33	February 2005
12	January 2005
41	December 2004
33	November 2004
35	October 2004
48	September 2004
95	August 2004
45	July 2004
79	June 2004
87	May 2004
84	April 2004
17	March 2004
62	February 2004
14	January 2004
28	December 2003
14	November 2003
15	October 2003
38	September 2003
60	August 2003
28	July 2003
31	June 2003
48	May 2003
24	April 2003
39	March 2003
18	February 2003
29	January 2003
26	December 2002
41	November 2002
47	October 2002
18	September 2002
14	August 2002
23	July 2002
20	June 2002
92	May 2002
29	April 2002
56	March 2002
47	February 2002
33	January 2002
18	December 2001
91	November 2001
58	October 2001
49	September 2001
15	August 2001
49	July 2001
109	June 2001
52	May 2001
39	April 2001
99	March 2001
134	February 2001
123	January 2001
26	December 2000
59	November 2000
72	October 2000
143	September 2000
44	August 2000
81	July 2000
20	June 2000
12	May 2000
11	April 2000
63	March 2000
22	February 2000
8	January 2000
1	December 1999
6	October 1999
15	September 1999
3	August 1999
9	July 1999
12	June 1999
7	May 1999
16	April 1999
28	March 1999
9	February 1999

Mon	Tue	Wed	Thu	Fri	Sat	Sun

	1	2	3	4	5	6
7	8	9	10	11	12	13
14	15	16	17	18	19	20
21	22	23	24	25	26	27
28	29	30