Provided by: argus-client_2.0.6.fixes.1-3_amd64 
NAME
ra - read argus(8) data.
COPYRIGHT
Copyright (c) 2000-2003 QoSient. All rights reserved.
SYNOPSIS
ra
ra [raoptions] [- filter-expression]
DESCRIPTION
Ra reads argus(8) data from either stdin, an argus-file, or from a remote argus-server, filters the
records it encounters based on an optional filter-expression and either prints the contents of the
argus(5) records that it encounters to stdout or writes them out into an argus(5) datafile.
OPTIONS
-A When generating ASCII output, print the application byte counts.
-b Dump the compiled transaction-matching code to standard output and stop. This is useful for
debugging filter expressions.
-C [host:]<portnum>
Indicate the optional host and required port number for the remote Cisco Netflow record source. This
will cause ra(1) to open a UDP socket, binding on the host and supplied port, and attempt to read
Cisco Netflow records from the open socket.
-d <bytes>
Print specified number of <bytes> from the user data capture buffer. The <bytes> value can be a
number, or an expression that specifies the number of bytes for either the source or destination
buffer. Formats include:
-d 32 print 32 bytes from the src and dst buffer
-d s24 print 24 bytes from the src buffer
-d d16 print 16 bytes from the dst buffer
-d s32:d8 print 32 bytes from the src buffer and
8 bytes from the dst buffer
-D <level>
Print debug information corresponding to <level> to stderr, if program compiled to support debug
printing. As the level increases, so does the amount of debug information ra(1) will print. Values
range from 1-8.
-E <file>
When using a filter expression at the end of the command, this option will cause ra(1) to write the
records that are rejected by the filter into <file>
-F <conffile>
Use <conffile> as a source of configuration information. The format of this file is identical to
rarc(5). The data read from <conffile> overrides any prior configuration information.
-h Print an explanation of all the arguments.
-n Do not translate host and service numbers to names. -nn will suppress translation of protocol
numbers, as well.
-p <digits>
Print <digits> number of units of precision for fraction of time.
-q Run in quiet mode. Configure Ra to not print out the contents of records. This can be used with the
-T and -a options to support aggregate activity without printing each input record.
-r <file file ...> -
Read data from <files> in the order presented on the commandline. '-' denotes stdin. Because this
option can have many arguments, it must be terminated with a '-'. The '-' of subsequent options is
sufficient. Ra can read gzip(1), bzip2(1) and compress(1) compressed data files.
-R Print response data when available. This option applies to ICMP, arp and BOOTP traffic to indicate
the responses to these protocol specific queries.
-s <[-][[+[#]]field ...> -
Specify the fields to print. Ra uses a default printing field list, by specifying a field you can
replace this list completely, or you can modify the existing default print list, using the optional
'-' and '+[#]' form of the command. The available fields to print are:
startime, lasttime, count, dur, avgdur,
saddr, daddr, proto, sport, dport, ipid,
stos, dtos, sttl, dttl, bytes, sbytes, dbytes,
pkts, spkts, dpkts, load, loss, rate,
srcid, ind, mac, dir, jitter, status, user,
win, trans, seq, vlan, mpls
Examles are:
-s srcaddr print only the source address.
-s -bytes removes the bytes field from list.
-s +2srcid adds MAC addresses as the 2nd field.
-s mac pkts prints MAC addresses and src and dst pkt counts.
-S <host[:portnum]>
Specify a remote argus-server <host>. Use the optional
-t <timerange>
Specify the <time range> for matching argus(5) records. The syntax for the <time range> is:
timeSpecification[-timeSpecification]
timeSpecification: [[[yyyy/]mm/]dd.]hh[:mm[:ss]]
[yyyy/]mm/dd
-%d{yMdhms}
Examples are:
-t 14 matches 2pm-3pm any day
-t 23.11:10-14 11:10:00 - 2pm on the 23rd
-t 11/23 all records on Nov 23rd
-t 1999/01/23.10 10-11am on Jan, 23, 1999
-t -10m matches 10 minutes before to the present
-t -2h5m-2h matches range between 2 hours 5 minutes before
until 2 hours before.
-T <secs>
Read argus(5) from remote server for <secs> of time.
-u Write out time values using UTC time format.
-w <file>
Write out matching data to <file>, in argus file format. An output-file of '-' directs ra to write
the argus(5) records to stdout, allowing for "chaining" ra* style commands together.
-z Print Argus TCP state changes for each tcp transaction. Values are
's' - Syn Transmitted
'S' - Syn Acknowledged
'E' - TCP Established
'f' - Fin Transmitted (FIN Wait State 1)
'F' - Fin Acknowledged (FIN Wait State 2)
'R' - TCP Reset
-Z <s|d|b>
Print actual TCP flag values. <'s'rc | 'd'st | 'b'oth>.
'F' - Fin
'S' - Syn
'R' - Reset
'P' - Push
'A' - Ack
'U' - Urgent Pointer
'7' - Undefined 7th bit set
'8' - Undefined 8th bit set
FILTER EXPRESSION
If arguments remain after option processing, the collection is interpreted as a single filter expression.
In order to indicate the end of arguments, a '-' is recommended before the filter expression is added to
the command line.
The filter expression specifies which argus(5) records will be selected for processing. If no expression
is given, all records are selected, otherwise, only those records for which expression is `true' will be
printed.
The syntax is very similar to the expression syntax for tcpdump(1), as the tcpdump compiler was the basis
for the argus(5) filter expression compiler. The semantics for tcpdump(1)'s packet filter expression are
different when applied to transaction record filtering, so there are some major differences.
The expression consists of one or more primitives. Primitives usually consist of an id (name or number)
preceded by one or more qualifiers. There are three different kinds of qualifier:
type qualifiers say what kind of thing the id name or number refers to. Possible types are srcid,
host, net, port, tos, ttl, vid, and mid.
E.g., `srcid isis`, `host sphynx', `net 192.168', `port domain', `ttl 1'. If there is no type
qualifier, host is assumed.
dir qualifiers specify a particular transfer direction to and/or from an id. Possible directions are
src, dst, src or dst and src and dst. E.g., `src sphynx', `dst net 192.168', `src or dst port
ftp', `src and dst tos 0x0a', `src or dst vid 0x12`. If there is no dir qualifier, src or dst is
assumed.
proto qualifiers restrict the match to a particular protocol. Possible values are those specified in
the /etc/protocols system file. When preceeded by ether, the protocol names and numbers that are
valid are specified in ./include/ethernames.h.
In addition to the above, there are some special `primitive' keywords that don't follow the pattern:
gateway, multicast, and broadcast. All of these are described below.
More complex filter expressions are built up by using the words and, or and not to combine primitives.
E.g., `host foo and not port ftp and not port ftp-data'. To save typing, identical qualifier lists can
be omitted. E.g., `tcp dst port ftp or ftp-data or domain' is exactly the same as `tcp dst port ftp or
tcp dst port ftp-data or tcp dst port domain'.
Allowable primitives are:
srcid argusid
True if the argus identifier field of the Argus record is srcid, which may be an IP address, a
name or a decimal/hexidecimal number.
dst host host
True if the IP destination field of the Argus record is host, which may be either an address or a
name.
src host host
True if the IP source field of the Argus record is host.
host host
True if either the IP source or destination of the Argus record is host. Any of the above host
expressions can be prepended with the keywords, ip, arp, or rarp as in:
ip host host
which is equivalent to:
ether proto \ip and host host
If host is a name with multiple IP addresses, each address will be checked for a match.
ether dst ehost
True if the ethernet destination address is ehost. Ehost may be either a name from /etc/ethers or
a number (see ethers(3N) for numeric format).
ether src ehost
True if the ethernet source address is ehost.
ether host ehost
True if either the ethernet source or destination address is ehost.
gateway host
True if the transaction used host as a gateway. I.e., the ethernet source or destination address
was host but neither the IP source nor the IP destination was host. Host must be a name and must
be found in both /etc/hosts and /etc/ethers. (An equivalent expression is
ether host ehost and not host host
which can be used with either names or numbers for host / ehost.)
dst net net
True if the IP destination address of the Argus record has a network number of net, which may be
either an address or a name.
src net net
True if the IP source address of the Argus record has a network number of net.
net net
True if either the IP source or destination address of the Argus record has a network number of
net.
dst port port
True if the network transaction is ip/tcp or ip/udp and has a destination port value of port. The
port can be a number or a name used in /etc/services (see tcp(4P) and udp(4P)). If a name is
used, both the port number and protocol are checked. If a number or ambiguous name is used, only
the port number is checked (e.g., dst port 513 will print both tcp/login traffic and udp/who
traffic, and port domain will print both tcp/domain and udp/domain traffic).
src port port
True if the network transaction has a source port value of port.
port port
True if either the source or destination port of the Argus record is port. Any of the above port
expressions can be prepended with the keywords, tcp or udp, as in:
tcp src port port
which matches only tcp connections.
ip proto protocol
True if the Argus record is an ip transaction (see ip(4P)) of protocol type protocol. Protocol
can be a number or any of the string values found in /etc/protocolsk.
multicast
True if the network transaction involved an ip multicast address. By specifing ether multicast,
you can select argus records that involve an ethernet multicast address.
broadcast
True if the network transaction involved an ip broadcast address. By specifing ether broadcast,
you can select argus records that involve an ethernet broadcast address.
ether proto protocol
True if the Argus record is of ether type protocol. Protocol can be a number or a name like ip,
arp, or rarp. Note these identifiers are also keywords and must be escaped via backslash (\).
dst ttl number
True if the destination TTL of the Argus record equals number.
src ttl number
True if the source TTL of the Argus record equals number.
ttl number
True if either the source or destination TTL of the Argus record equals number.
dst tos number
True if the destination TOS of the Argus record equals number.
src tos number
True if the source TOS of the Argus record equals number.
tos number
True if either the source or destination TOS of the Argus record equals number.
dst vid number
True if the destination VLAN id of the Argus record equals number.
src vid number
True if the source VLAN id of the Argus record equals number.
vid number
True if either the source or destination VLAN id of the Argus record equals number.
dst mid number
True if the destination MPLS Label of the Argus record equals number.
src mid number
True if the source MPLS Label of the Argus record equals number.
mid number
True if either the source or destination MPLS Label of the Argus record equals number.
Ra filter expressions support primitives that are specific to flow states and can be used to select flow
records that were in these states at the time they were generated. normal, wait, timeout, est or con
Primitives that select flows that experienced fragmentation. frag and fragonly
Support for selecting flows that used multiple pairs of MAC addresses during their lifetime. multipath
Primitives specific to TCP flows are supported. syn, synack, data, ecn, fin, finack, reset, retrans,
outoforder and winshut
Primitives specific to ICMP flows are supported. echo, unreach, redirect and timexed
For some primitives, a direction qualifier is appropriate. These are frag, reset, retrans, outoforder
and winshut
Primitives may be combined using:
A parenthesized group of primitives and operators (parentheses are special to the Shell and must
be escaped).
Negation (`!' or `not').
Concatenation (`and').
Alternation (`or').
Negation has highest precedence. Alternation and concatenation have equal precedence and associate left
to right. Note that explicit and tokens, not juxtaposition, are now required for concatenation.
If an identifier is given without a keyword, the most recent keyword is assumed. For example,
not host sphynx and anubis
is short for
not host sphynx and host anubis
which should not be confused with
not ( host sphynx or anubis )
Expression arguments can be passed to ra(1) as either a single argument or as multiple arguments,
whichever is more convenient. Generally, if the expression contains Shell metacharacters, it is easier
to pass it as a single, quoted argument. Multiple arguments are concatenated with spaces before being
parsed.
Startup Processing
Ra begins by searching for the configuration file .rarc first in the directory, $ARGUSHOME and then
$HOME. If a .rarc is found, all variables specified in the file are set.
Ra then parses its command line options and set its internal variables accordingly.
If a configuration file is specified on the command-line, using the "-f <confile>" option, the values in
this .rarc formatted file superceed all other values.
EXAMPLES
To report all TCP transactions from and to host 'narly.wave.com', reading transaction data from argus-
file argus.data:
ra -r argus.data - tcp and host narly.wave.com
Create the argus-file icmp.log with all ICMP events involving the host nimrod, using data from argus-
file, but reading the transaction data from stdin:
cat argus-file | ra -r - -w icmp.log - icmp and host nimrod
OUTPUT FORMAT
The following is a brief description of the output format of ra which reports transaction data in various
levels of detail. The general format is:
time proto srchost dir dsthost [count] status
time
The format of the time field is specified by the .rarc file, using syntax supported by the routine
localtime(3V). The default is Argus transaction data contains both starting and ending transaction
times, with precision to the microsecond. However, ra prints out only one of these dates depending on
the status of the argus server. When the argus server is running in default mode, ra reports the
transaction starting time. When the server is in DETAIL mode, the transaction ending time is
reported.
mac.addr
mac.addr is an optional field, specified using the -m flag. mac.addr represents the first source and
destination MAC addresses seen for a particular transaction. These addresses are paired with the
host.port fields, so the direction indicator is needed to distinguish between the source and
destination MAC addresses.
proto [options protocol]
The proto indicator consists of two fields. The first is protocol specific and the designations are:
m - MPLS encapsulated flow
q - 802.1Q encapsulated flow
p - PPP over Enternet encapsulated flow
E - Multiple encapsulations/tags
s - Src TCP packet retransmissions
d - Dst TCP packet retransmissions
* - Both Src and Dst TCP retransmissions
i - Src TCP packets out of order
r - Dst TCP packets out of order
& - Both Src and Dst packet out of order
S - Src TCP Window Closure
D - Dst TCP Window Closure
@ - Both Src and Dst Window Closure
x - Src TCP Explicit Congestion Notification
t - Dst TCP ECN
E - Both Src and Dst ECN
M - Multiple physical layer paths
I - ICMP event mapped to this flow
S - IP option Strict Source Route
L - IP option Loose Source Route
T - IP option Time Stamp
+ - IP option Security
R - IP option Record Route
A - IP option Router Alert
O - multiple IP options set
E - unknown IP options set
F - Fragments seen
f - Partial Fragment
V - Fragment overlap seen
The second field indicates the upper protocol used in the transaction. This field will contain the
first 4 characters of the official name for the protocol used, as defined in RFC-1700. Argus
attempts to discovery the Realtime Transport Protocol, when it is being used. When it encounters
RTP, it will indicate its use in this field, with the string 'rtp'. Use of the -n option, twice
(-nn), will cause the actual protocol number to be displayed.
host
The host field is protocol dependent, and for all protocols will contain the IP address/name. For
TCP and UDP, the field will also contain the port number/name, separated by a period.
dir
The dir field will have the direction of the transaction, as can be best determined from the datum,
and is used to indicate which hosts are transmitting. For TCP, the dir field indicates the actual
source of the TCP connection, and the center character indicating the state of the transaction.
- - transaction was NORMAL
| - transaction was RESET
o - transaction TIMED OUT.
? - direction of transaction is unknown.
count
count is an optional field, specified using the -c option. There are 4 fields that are produced.
The first 2 are the packet counts and the last 2 are the byte counts for the specific transaction.
The fields are paired with the previous host fields, and represent the packets transmitted by the
respective host.
status
The status field indicates the principle status for the transaction report, and is protocol
dependent. For all the protocols, except ICMP, this field reports on the basic state of a
transaction.
REQ|INT (requested|initial)
This indicates that this is the initial status report for a transaction and is seen only when the
argus-server is in DETAIL mode. For TCP connections this is REQ, indicating that a connection is
being requested. For the connectionless protocols, such as UDP, this is INT.
ACC (accepted)
This indicates that a request/response condition has occurred, and that a transaction has been
detected between two hosts. For TCP, this indicates that a connection request has been answered, and
the connection will be accepted. This is only seen when the argus-server is in DETAIL mode. For the
connectionless protocols, this state indicates that there has been a single packet exchange between
two hosts, and could qualify as a request/response transaction.
EST|CON (established|connected)
This record type indicates that the reported transaction is active, and has been established or is
continuing. This should be interpreted as a status report of a currently active transaction. For
TCP, the EST status is only seen in DETAIL mode, and indicates that the three way handshake has been
completed for a connection.
CLO (closed)
TCP specific, this record type indicates that the TCP connection has closed normally.
TIM (timeout)
Activity was not seen relating to this transaction, during the argus server's timeout period for this
protocol. This status is seen only when there were packets recorded since the last report for this
transaction.
For the ICMP protocol, the status field displays specific aspects of the ICMP type. ICMP status can have
the values:
ECO Echo Request
ECR Echo Reply
SRC Source Quench
RED Redirect
RTA Router Advertisement
RTS Router Solicitation
TXD Time Exceeded
PAR Parameter Problem
TST Time Stamp Request
TSR Time Stamp Reply
IRQ Information Request
IRR Information Reply
MAS Mask Request
MSR Mask Reply
URN Unreachable network
URH Unreachable host
URP Unreachable port
URF Unreachable need fragmentation
URS Unreachable source failed
URNU Unreachable dst network unknown
URHU Unreachable dst host unknown
URISO Unreachable source host isolated
URNPRO Unreachable network administrative prohibited
URHPRO Unreachable host administrative prohibited
URNTOS Unreachable network TOS prohibited
URHTOS Unreachable host TOS prohibited
URFIL Unreachable administrative filter
URPRE Unreachable precedence violation
URCUT Unreachable precedence cutoff
OUTPUT EXAMPLES
These examples show typical ra output, and demonstrates a number of variations seen in argus data. This
ra output was generated using the -n option to suppress number translation.
Thu 12/29 06:40:32 S tcp 132.3.31.15.6439 -> 12.23.14.77.23 CLO
This is a normal tcp transaction to the telnet port on host 12.23.14.77. The IP Option strict source
route was seen.
Thu 12/29 06:40:32 tcp 132.3.31.15.6200 <| 12.23.14.77.25 RST
This tcp transaction from the smtp port of host 12.23.14.77 was RESET, indicating that the transaction
was denied.
Thu 12/29 03:39:05 M igmp 12.88.14.10 <-> 128.2.2.10 CON
This is an igmp transaction status report, usually seen with MBONE traffic. There was more than one
source and destination MAC address pair used to support the transaction, suggesting a possible routing
loop.
Thu 12/29 06:40:05 * tcp 12.23.14.23.1043 <-> 12.23.14.27.6000 TIM
This is an X-windows transaction, that has TIMEDOUT. Packets were retransmitted during the connection.
Thu 12/29 07:42:09 udp 12.9.1.115.2262 -> 28.12.141.6.139 INT
This is an initial netbios UDP transaction status report, indicating that this is the first datagram
encountered for this transaction.
Thu 12/29 06:42:09 icmp 12.9.1.115 <-> 12.68.5.127 ECO
This example represents a "ping" of host 12.9.1.115, and its response.
This next example shows the ra output of a complete TCP transaction, with the preceeding Arp and DNS requests,
while reading from a remote argus-server. The '*' in the CLO report indicates that at least one TCP packet was
retransmitted during the transaction. The hostnames in this example are ficticious.
% ra -S argus-server and host i.qosient.com
ra: Trying argus-server port 561
ra: connected Argus Version 2.0
Sat 12/03 15:29:38 arp i.qosient.com who-has dsn.qosient.com INT
Sat 12/03 15:29:39 udp i.qosient.com.1542 <-> dns.qosient.53 INT
Sat 12/03 15:29:39 arp i.qosient.com who-has qosient.com INT
Sat 12/03 15:29:39 * tcp i.qosient.com.1543 -> qosient.com.smtp CLO
AUTHORS
Carter Bullard (carter@qosient.com).
FILES
/etc/ra.conf
SEE ALSO
argus(8) tcpdump(1),
Postel, Jon, Internet Protocol, RFC 791, Network Information Center, SRI International, Menlo Park,
Calif., May 1981.
Postel, Jon, Internet Control Message Protocol, RFC 792, Network Information Center, SRI International,
Menlo Park, Calif., May 1981.
Postel, Jon, Transmission Control Protocol, RFC 793, Network Information Center, SRI International, Menlo
Park, Calif., May 1981.
Postel, Jon, User Datagram Protocol, RFC 768, Network Information Center, SRI International, Menlo Park,
Calif., May 1980.
McCanne, Steven, and Van Jacobson, The BSD Packet Filter: A New Architecture for User-level Capture,
Lawrwnce Berkeley Laboratory, One Cyclotron Road, Berkeley, Calif., 94720, December 1992.