Provided by: argus-client_5.0.2+git20250321.41f65e2-2ubuntu1_amd64 
NAME
racompare - display and compare sorted network flow data
SYNOPSIS
racompare -r baseline:argus.data.file [raoptions] [-- filter-expression]
DESCRIPTION
Racompare reads argus(8) data from an argus-file, or from a remote data source, and compares sorted list
of network flow records against flow baselines. When read from a file, racompare displays the resulting
flow caches when the file is completed, updating its status display line with each input. When reading
from a live argus data stream, racompare will display data, asynchronously in realtime, as it is received
from the source.
Flow data is aggregated as its read, (see racluster.1), using the same aggregation model for the baseline
as the input data for comparison, resulting in a single line for each network transaction encountered in
the data stream. The default sorting key is matched packets per flow, but other keys can be used
instead. Like ratop when reading realtime flows from a remote source, flow records that have been idle
for more than the default 60s are removed. Various output options, such as the specific columns of data
to display, the entry idle timeout value, the screen refresh rate, etc ... are all configurable.
racompare uses ncurses and readline.3, when available, to provide an emacs.1 or vi.1 look and feel for
displaying, navigating and modifying network flow data. Configure these features using readline's
configuruation strategy, .inputrc in the home directory. See 'man readline'.
While running racompare a lot of help can be obtained from the on-line help system, using the ":h"
command.
OPTIONS
Command line option specifications are processed from left to right. Options can be specified more than
once. If conflicting options are specified, later specifications override earlier ones. This makes it
viable to create a shell alias for racompare with preferred defaults specified, then override those
preferred defaults as desired on the command line.
racompare, like all ra based clients, supports a number of ra options including filtering of input argus
records through a terminating filter expression, and the ability to specify the output style, format and
contents for printing data. See ra(1) for a complete description of ra options. racompare(1) specific
options are:
-m aggregation object
Supported aggregation objects are:
none use a null flow key.
srcid argus source identifier.
smac source mac(ether) addr.
dmac destination mac(ether) addr.
soui oui portion of the source mac(ether) addr.
doui oui portion of the destination mac(ether) addr.
smpls source mpls label.
dmpls destination label addr.
svlan source vlan label.
dvlan destination vlan addr.
saddr/[l|m] source IP addr/[cidr len | m.a.s.k].
daddr/[l|m] destination IP addr/[cidr len | m.a.s.k].
matrix/l sorted src and dst IP addr/cidr len.
proto transaction protocol.
sport source port number. Implies use of 'proto'.
dport destination port number. Implies use of 'proto'.
stos source TOS byte value.
dtos destination TOS byte value.
sttl src -> dst TTL value.
dttl dst -> src TTL value.
stcpb src -> dst TCP base sequence number.
dtcpb dst -> src TCP base sequence number.
inode[/l|m]] intermediate node IP addr/[cidr len | m.a.s.k], source of ICMP mapped events.
sco source ARIN country code, if present.
dco destination ARIN country code, if present.
sas source node origin AS number, if available.
das destination node origin AS number, if available.
ias intermediate node origin AS number, if available.
-M modes
Supported modes are:
correct Attempt to correct the direction of flows by also searching the reverse flow key,
if a match isn't found in the cache. This mode is on by default when using the
default full 5-tuple flow key definitions.
nocorrect Turn off flow correction for direction. This mode is used by default if the flow
key has been changed.
preserve Preserve fields when aggregating matching flow data.
nopreserve Do not preserve fields when aggregating matching flow data.
norep Do not generate an aggregate statistic for each flow. This is used primarily when
the output represents a single object. Primarily used when merging status records
to generate single flows that represent single transactions.
rmon Generate data suitable for producing RMON types of metrics.
nocurses Do not use the curses interface to present data. This option is primarily used when
debugging racompare, to get around the issues of screen maniuplation within a
debugger like gdb or lldb.
DISPLAY
The first several lines of the racompare display show global state. The top line shows how racompare is
running, with the list of command line options that are in effect. In the upper most right corner is the
current time. The next line is the column title line, that labels each column. The bottom line is the
command line, where you will see and prepare ':' commands. The line above the bottom line is the status
line, showing the number of flows that are in the racompare process queue, display queue, the total
number of flows read, the rate of flow records read, and the current status, whether it is Active,
reading records, or Idle, when all input is complete. This line can be toggled on or off using ^G.
Flows caches are displayed one per row and are sorted by total pkts, by default. racompare sorting can
be configured using the rarc variable RA_SORT_ALGORITHMS, or by using the ":P" command.
racompare supports 3 basic filters. Like all other ra* programs, racompare will send its command line
filter to its remote argus data sources, to limit the load on the wire. This is the "remote" filter.
Also, racompare supports a "local" filter, that is applied to flow record input. Normally this is used
when the remote argus data source doesn't support the syntax of the specific filter. racompare also
support a "display" filter, that is used to select which flow records are to be displayed. This filter
does not have any impact on the internal flow caches that racompare is tracking, so you can change the
"display" filter at any time and see the current state of other flows.
COLOR
racompare supports color which is configured using the rarc file. The RA_COLOR_CONFIG file is a fall
through specification of flow filters and field color definitions. For flows that match a filter,
specific fields in the row will be painted the configured color. Because the filter specification
supports the " cont " directive, a single row can be painted by any number of color definitions.
When color is enabled racompare will attempt to color IP addresses to indicate that local host address,
and the local network. This is very helpful in mobile host installations, where you may not know what IP
address has been assigned the localhost. racompare also supports coloring local addresses based on the
RA_LOCAL rarc variable.
See racolor.conf.5.
ARGUS EVENTS
Introduced in argus-3.0.8, racompare supports correlating specific ARGUS_EVENT data with flow data, which
can be turned on through the use of the RA_CORRELATE_EVENTS rarc variable. racompare will process argus-
lsof event data generated by host bourne argi, and label flow data with user, pid and process name
metadata. While experimental, it is production level functionality, and can be used with other ra*
programs to enhance flow data with host os process information. See argus-3.0.8 documentation on
ARGUS_EVENTS.
EXAMPLES
racompare -r argus.file -s rank stime dur:14 saddr daddr proto pkts bytes
Read the file argus.file, and display the resulting aggregated and sorted list of flow records,
using the default sorting methods.
racompare -S localhost
Run racompare as a live display of realtime flow traffic.
COPYRIGHT
Copyright (c) 2000-2024 QoSient. All rights reserved.
AUTHORS
Carter Bullard (carter@qosient.com).
SEE ALSO
rarc(5) racluster(1) racluster.conf(5) readline(3)
racompare 5.0.3 12 July 2023 RACOMPARE(1)