AUDITING NETWORK ACTIVITY

Using Argus

Getting Argus

Argus Wiki

Development

Documentation

Publications

Support

Links

News

Ra Examples

The argus-clients package provides a set of core client programs that provide the basic functions needed to use argus flow data. This includes printing, processing, sorting, aggregating, tallying, collecting, distributing, archiving, and anonymizing data. Here we provide basic examples of how to use the utilit ra. For these examples, we use standard sets of argus data.

Ra is the principal client program that reads argus data sources, either files or streams, and prints the contents to the screen, or writes the data to a file or pipe. All client programs share the complete set of functionality of ra, so its a great starting example.

ra -r argus.simple.data.out
StartTime         Flgs   Proto      SrcAddr  Sport   Dir        DstAddr  Dport TotPkts TotBytes State
 17:48:36.589413  M      arp   192.168.0.68          who   192.168.0.66              6      318   CON
 17:48:36.589949  e      udp   192.168.0.68.50251    <->   192.168.0.66.domain       2      23    CON
 17:48:36.590557  e      udp   192.168.0.68.53404    <->   192.168.0.66.domain       2      207   CON
 17:48:36.590954  M      arp   192.168.0.68          who    192.168.0.1              2      106   CON
 17:48:36.591391  e      arp   192.168.0.66          who    192.168.0.1              4      256   INT
 17:48:36.592155  e      tcp   192.168.0.68.60245    ->   128.2.129.188.http        27     1820   FIN
 17:48:36.632662  e      tcp   192.168.0.68.60246    ->   216.92.14.146.http        24    15168   FIN
 17:48:36.705481  e      tcp   192.168.0.68.60247    ->   128.2.129.188.http        23    14725   FIN
 17:48:36.705669  e i    tcp   192.168.0.68.60248    ->   128.2.129.188.http        11     2722   FIN

This is the default output. All aspects of the output can be modified, generally from the command line, and completely specified using the rarc file strategy, which is highly recommeneded and installed in the home directory as ./.rarc.

Changing which fields will be printed, their order and widths is easy to do, and all 187 fields are supported. Be sure and check the ra.1 manpage for a complete description.

ra -r argus.simple.data.out -s stime saddr daddr proto sport dport pkts bytes
StartTime              SrcAddr        DstAddr  Proto  Sport  Dport TotPkts   TotBytes
 17:48:36.589413  192.168.0.68   192.168.0.66    arp                     6        318
 17:48:36.589949  192.168.0.68   192.168.0.66    udp 50251  domain       2        232
 17:48:36.590557  192.168.0.68   192.168.0.66    udp 53404  domain       2        207
 17:48:36.590954  192.168.0.68    192.168.0.1    arp                     2        106
 17:48:36.591391  192.168.0.66    192.168.0.1    arp                     4        256
 17:48:36.592155  192.168.0.68  128.2.129.188    tcp 60245  http        27      18208
 17:48:36.632662  192.168.0.68  216.92.14.146    tcp 60246  http        24      15168
 17:48:36.705481  192.168.0.68  128.2.129.188    tcp 60247  http        23      14725
 17:48:36.705669  192.168.0.68  128.2.129.188    tcp 60248  http        11       2722

Ra provides flexibility in how fields are printed. For many fields, they can be printed as strings, where names, aliases or numeric values can be used, or as decimal, hexidecimal, and/or octal represenations can be used. Particularly IP addresses can be printed as fully qualified domain names (FQDN), as IANA standard dot representation strings, as signed and unsigned decimal numbers or as hexidecimal values. The formats are specified using the syntax of sprintf.1.

ra -r argus.simple.data.out -N2 -s stime saddr:12 saddr:12:%d saddr:12:%u saddr:12:0x%x saddr:13:0%o
      StartTime       SrcAddr      SrcAddr      SrcAddr      SrcAddr       SrcAddr
 17:48:36.589413 192.168.0.68  -1062731708   3232235588   0xc0a80044  030052000104  17:48:36.589949 192.168.0.68  -1062731708   3232235588   0xc0a80044  030052000104

ra -r argus.simple.data.out -N1 -nnn -s stime saddr:26 daddr:24
      StartTime                    SrcAddr               DstAddr
 17:48:36.589413 thoth.newyork.qosient.com  isis.qosient.private

Ra supports a rather rich filtering strategy that lets you select records based on the flow contents. The filter syntax is very similar to tcpdump, but the filter deals with flow concepts, rather than packets concepts, and so the syntax is different. Be sure and check the ra.1 manpage for a complete description.

ra -r argus.simple.data.out - tcp and src port gt 60246
StartTime         Flgs   Proto      SrcAddr  Sport   Dir        DstAddr  Dport TotPkts TotBytes State
 17:48:36.705481  e      tcp   192.168.0.68.60247    ->   128.2.129.188.http        23    14725   FIN
 17:48:36.705669  e i    tcp   192.168.0.68.60248    ->   128.2.129.188.http        11     2722   FIN

Ra also supports selecting records based on content within the user data buffers captured by argus. Using regular expressions, ra can "grep" the binary buffers.

ra -r argus.simple.data.out -e "qosient.com"
StartTime         Flgs   Proto      SrcAddr  Sport   Dir        DstAddr  Dport TotPkts TotBytes State
 17:48:36.590557  e      udp   192.168.0.68.53404    <->   192.168.0.66.domain       2      207   CON
 17:48:36.632662  e      tcp   192.168.0.68.60246    ->   216.92.14.146.http        24    15168   FIN

Ra also supports selecting records based on their rank in the stream. The clients have the ability to select from the incoming and/or the outgoing stream of data. In this case, ra will printout onlythe 2, 3, 4 and 5th output records.

ra -r argus.simple.data.out -N o2-5 - src host 192.168.0.68
StartTime         Flgs   Proto      SrcAddr  Sport   Dir        DstAddr  Dport TotPkts TotBytes State
 17:48:36.589949  e      udp   192.168.0.68.50251    <->   192.168.0.66.domain       2      23    CON
 17:48:36.590557  e      udp   192.168.0.68.53404    <->   192.168.0.66.domain       2      207   CON
 17:48:36.590954  M      arp   192.168.0.68          who    192.168.0.1              2      106   CON
 17:48:36.592155  e      tcp   192.168.0.68.60245    ->   128.2.129.188.http        27     1820   FIN