AUDITING NETWORK ACTIVITY

Using Argus

Getting Argus

Argus Wiki

Development

Documentation

Publications

Support

Links

News

Ratop Display Filter Example

This video is as simple as it gets for demonstrating the use of display filters in ratop(), when displaying argus data. Basically, this video shows command line instantiation of ratop(), reading one of the standard sets of argus data. Once the file has been read in, the user types a ":f" to get into 'Specify filter' mode. This mode supports 3 filters, a remote filter, which is sent to the argus data, a local filter that is used to filter incoming argus records, and a display filter, that selects flows for display, without affecting the reading and process of argus data.

You normally use of a display filter to limit the number of flow records that are seen on the screen. In this case, we've read the file argus.2012.02.13.17.20.out, which contains 554 flow records that are aggregated into 335 distinct flows. At first, ratop() displays that the read was successful, on the bottom status line. We type "^g", which will display a status line that states the number of flows that are in the cache, the number in the display, and some performance stats.

Next, we use a port range filter to pick out only a few flow records of interest, using ":f" command.

" display src port 60400-60415 "

Once we've gotten the flows we like, we change the sort order, using the ":s sport" command, then we write the 16 display flows to a file, /tmp/test.out. After this, we close ratop(), and then read the /tmp/test.out file to verify that its the same as we saw on the screen, just moments before.