AUDITING NETWORK ACTIVITY

Using Argus

Getting Argus

Argus Wiki

Development

Documentation

Publications

Support

Links

News

Rasort Examples

The argus-clients package provides a set of core client programs that provide the basic functions needed to use argus flow data. This includes printing, processing, sorting, aggregating, tallying, collecting, distributing, archiving, and anonymizing data. Here we provide basic examples of how to use the utilit rasort. For these examples, we use standard sets of argus data.

Rasort is the principal client program that sorts argus data sources. Some client programs, such as rabins.1 and racluster.1, share the sorting capabilities of rasort, so its an important utility. The standard argus data set, argus.simple.data.out, has already been sorted based on start time "stime".

rasort -r argus.simple.data.out -m pkts
StartTime         Flgs   Proto      SrcAddr  Sport   Dir        DstAddr  Dport TotPkts TotBytes State
 17:48:36.592155  e      tcp   192.168.0.68.60245    ->   128.2.129.188.http        27     1820   FIN
 17:48:36.632662  e      tcp   192.168.0.68.60246    ->   216.92.14.146.http        24    15168   FIN
 17:48:36.705481  e      tcp   192.168.0.68.60247    ->   128.2.129.188.http        23    14725   FIN
 17:48:36.705669  e i    tcp   192.168.0.68.60248    ->   128.2.129.188.http        11     2722   FIN
 17:48:36.589413  M      arp   192.168.0.68          who   192.168.0.66              6      318   CON
 17:48:36.591391  e      arp   192.168.0.66          who    192.168.0.1              4      256   INT
 17:48:36.590954  M      arp   192.168.0.68          who    192.168.0.1              2      106   CON
 17:48:36.590557  e      udp   192.168.0.68.53404    <->   192.168.0.66.domain       2      207   CON
 17:48:36.589949  e      udp   192.168.0.68.50251    <->   192.168.0.66.domain       2      232   CON

Rasort can take any number of fields as parameters, the next field will be used to break ties for the field being used to sort. In this example, we sort on pkts, but when there is a tie, we use the number of bytes as a tie breaker.

rasort -r argus.simple.data.out -m pkts bytes
StartTime         Flgs   Proto      SrcAddr  Sport   Dir        DstAddr  Dport TotPkts TotBytes State
 17:48:36.592155  e      tcp   192.168.0.68.60245    ->   128.2.129.188.http        27     1820   FIN
 17:48:36.632662  e      tcp   192.168.0.68.60246    ->   216.92.14.146.http        24    15168   FIN
 17:48:36.705481  e      tcp   192.168.0.68.60247    ->   128.2.129.188.http        23    14725   FIN
 17:48:36.705669  e i    tcp   192.168.0.68.60248    ->   128.2.129.188.http        11     2722   FIN
 17:48:36.589413  M      arp   192.168.0.68          who   192.168.0.66              6      318   CON
 17:48:36.591391  e      arp   192.168.0.66          who    192.168.0.1              4      256   INT
 17:48:36.589949  e      udp   192.168.0.68.50251    <->   192.168.0.66.domain       2      232   CON
 17:48:36.590557  e      udp   192.168.0.68.53404    <->   192.168.0.66.domain       2      207   CON
 17:48:36.590954  M      arp   192.168.0.68          who    192.168.0.1              2      106   CON