RA(1)RA(1)NAMEra - read argus(8) data.
COPYRIGHT
Copyright (c) 2000-2008 QoSient. All rights reserved.
SYNOPSISra [raoptions] [- filter-expression]
DESCRIPTION
Ra reads argus(8) data from either stdin, an argus-file, or from a
remote data source, which can either be an argus-server, or a netflow
data server, filters the records it encounters based on an optional
filter-expression and either prints the contents of the argus(5)
records that it encounters to stdout or appends them into an argus(5)
datafile.
OPTIONS-A Print aggregate statistics for the input stream on termination.
-b Dump the compiled transaction-matching code to standard output and
stop. This is useful for debugging filter expressions.
-c <char>
Specify a delimiter character for output columns (default is ' ').
-C <[host]:portnum>
Specify a source of Netflow data. The optional host is the local
interface address where Netflow Cisco records are going to be read.
If absent, then it is implied that the interface address is AF_ANY.
-D <level>
Print debug information corresponding to <level> to stderr, if pro‐
gram compiled to support debug printing. As the level increases,
so does the amount of debug information ra(1) will print. Values
range from 1-8.
-E <file>
When using a filter expression at the end of the command, this
option will cause ra(1) to append the records that are rejected by
the filter into <file>
-F <conffile>
Use <conffile> as a source of configuration information. The for‐
mat of this file is identical to rarc(5). The data read from
<conffile> overrides any prior configuration information.
-h Print an explanation of all the arguments.
-n Modify number to name converstion. This flag supports 3 states,
specified by the modulus of the number of -n flags set. The first
-n will suppress address to hostname lookups. -nn will suppress
port number to service conversion and -nnn will suppress transla‐
tion of protocol numbers to names. -nnnn will return you to full
conversion. Because this indicator can be set in the .rarc file,
multiple -n flags can be used to specify to a specific state of
number to name conversion.
-M <mode [mode ...]>
Provide addition mode operators. These are generally specific to
the individual ra* program, or a specific function. Available modes
for ra() are:
poll - successfully attach to remote data source and then exit
rmon - modify data to support unidiretional RMON stat reporting
saslmech="mech" - specify a mandatory SASL mech
TZ="tzset" - specify a tzset(3) time zone specification
xml - print output in xml format.
-N <num[-num]>
Process <num> or the <num - num > range of input records. These
records must match the input filter if any filter is used.
-p <digits>
Print <digits> number of units of precision for floating point val‐
ues.
-q Run in quiet mode. Configure Ra to not print out the contents of
records. This can be used for a number of maintenance tasks, where
you would be interested in the outcome of a program, or its
progress, say with the -D option, without printing each input
record.
-r [- | <file file ...>]
Read data from <files> in the order presented on the commandline.
'-' denotes stdin. If you want to read a set of files and then,
when done, read stdin, use multiple occurences of the -r option.
Ra can read gzip(1), bzip2(1) and compress(1) compressed data
files.
-R <dir dir ...>
Recursively decend the directory and process all the regular files
that are encountered. The function does not decend to links, or
directories that begin with '.'. The feature, like the -r command,
does not do any file type checking.
-s <[-][[+[#]]field[:len] ...>
Specify the fields to print. Ra uses a default printing field list,
by specifying a field you can replace this list completely, or you
can modify the existing default print list, using the optional '-'
and '+[#]' form of the command. The available fields to print are:
srcid, stime, ltime, sstime, dstime, dstime, dltime,
trans, seq, flgs, dur, avgdur, stddev, mindur, maxdur,
saddr, daddr, proto, sport, dport, stos, dtos, sdsb, ddsb,
sco, dco, sttl, dttl, sipid, dipid, smpls, dmpls, svlan, dvlan,
svid, dvid, svpri, dvpri, [s|d]pkts, [s|d]bytes,
[s||d]appbytes, [s|d]load, [s|d]loss, [s|d]ploss, [s|d]rate,
smac, dmac, dir, [s|d]intpkt, [s|d]jit, state, suser, duser,
swin, dwin, trans, srng, erng, stcpb, dtcpb, tcprtt, inode,
offset, smaxsz, dmaxsz, sminsz, dminsz
srcid argus source identifier.
stime record start time
ltime record last time.
trans aggregation record count.
seq argus sequence number.
flgs TCP flags seen in transaction.
dur record total duration.
avgdur average duration of aggregated records..
stddev standard deviation of aggregated duration times.
mindur minimum duration of aggregated records.
maxdur maximum duration of aggregated records.
saddr source IP addr.
daddr destination IP addr.
proto transaction protocol.
sport source port number.
dport destination port number.
stos source TOS byte value.
dtos destination TOS byte value.
sdsb source diff serve byte value.
ddsb destination diff serve byte value.
sco source IP address country code.
dco destination IP address country code.
sttl src -> dst TTL value.
dttl dst -> src TTL value.
sipid source IP identifier.
dipid destination IP identifier.
smpls source MPLS identifier.
dmpls destination MPLS identifier.
pkts total transaction packet count.
spkts src -> dst packet count.
dpkts dst -> src packet count.
bytes total transaction bytes.
sbytes src -> dst transaction bytes.
dbytes dst -> src transaction bytes.
appbytes total application bytes.
sappbytes src -> dst application bytes.
dappbytes dst -> src application bytes.
load bits per second.
sload source bits per second.
dload destination bits per second.
loss pkts retransmitted or dropped.
sloss source pkts retransmitted or dropped.
dloss destination pkts retransmitted or dropped.
ploss percent pkts retransmitted or dropped.
sploss percent source pkts retransmitted or dropped.
dploss percent destination pkts retransmitted or dropped.
rate pkts per second.
srate source pkts per second.
drate destination pkts per second.
smac source MAC addr.
dmac destination MAC addr.
dir direction of transaction
intpkt interpacket arrival time
sintpkt source interpacket arrival time
dintpkt destination interpacket arrival time
jit jitter.
sjit source jitter.
djit destination jitter.
state transaction state
suser source user date buffer.
dvlan destination user date buffer.
swin source TCP window advertisement.
dwin destination TCP window advertisement.
svlan source VLAN identifier.
dvlan destination VLAN identifier.
svid source VLAN identifier.
dvid destination VLAN identifier.
svpri source VLAN priority.
dvpri destination VLAN priority.
srng start time for the filter timerange.
erng end time for the filter timerange.
stcpb source TCP base sequence number
dtcpb destination TCP base sequence number
tcprtt TCP connection setup round-trip time.
inode ICMP intermediate node.
offset record byte offset in file or stream.
smaxsz maximum packet size for traffic transmitted by the src.
dmaxsz maximum packet size for traffic transmitted by the dst.
sminsz minimum packet size for traffic transmitted by the src.
dminsz minimum packet size for traffic transmitted by the dst.
Examles are:
-s saddr print only the source address.
-s -bytes removes the bytes field from list.
-s +2srcid adds the source identifier as the 2nd field.
-s spkts:18 prints src pkt count with a column width of 18.
-s smpls print the local mpls label in the flow.
-S <host[:portnum]>
Specify a remote source of argus data. Use the optional ':portnum'
to specify a port number other than the default; 561. IPv6
addresses, because of the use of ':' as its field separator, must
be represented as a literal IPv6 addresses (RFC 3986), if a non-
default port number is to be specified. Examles are:
-S localhost connect to localhost address, port 561
-S 192.168.0.67:12345 connect to IPv4 address, port 12345
-S fe80::214:51ff:fe66:7c5a connect to IPv6 address, port 561
-S [fe80::214:51ff:fe66:7c5a]:4523 connect to IPv6 address, port 4523
-t <timerange>
Specify the <time range> for matching argus(5) records. This option
supports a high degree of flexibility in specifing explicit and
relative time ranges with support for time field wildcarding.
The syntax for the <time range> is:
[timeComparisonInd]timeSpecification[-timeSpecification]
timeComparisonInd: i | n | c (default = i)
i intersects match records that were active during this time period
n includes match records that start before and end after the period
c contained match records that start and end during the period
timeSpecification: [[[yyyy/]mm/]dd.]HH[:MM[:SS]]
[yyyy/]mm/dd
%d{ymdHMSu}
{ + | - }%d{ymdHMSu}
where '*' can be used as a wildcard.
The 'u' modifier indicates that the value is UTC. A time specification
of "%d" or "%d-%d" is normally interpreted as the hour, however, if
the value is beyond a valid hour range, the time is interpreted as UTC.
Examples are:
-t 14 specify the time range 2pm-3pm for today
-t 1999y1M23d10h matches 10-11am on Jan, 23, 1999
-t 10d*h*m15s matches recordds that intersect the 15 sec,
any minute, any hour, on the 10th of this month
-t ****/11/23 all records in Nov 23rd, 2006, any year
-t 23.11:10-14 11:10:00 - 2pm on the 23rd of this month
-t 1194411600+1m 2007/11/07.00:00:00 - 2007/11/07/00:01:00
-t -10m matches 10 minutes before, to the present
-t -2h5m+5m matches records that start before and end
after the range starting 2 hours 5 minutes
prior to the present, and lasting 5 minutes.
Time is compared using basic intersection operations. A record
iPntersects a specified time range if there is any intersection
between the time range of the record and the comparison time range.
This is the default behavior. A record includes the comparison
time range if the intersection of the two ranges equals the compar‐
ison time, and a record is contained when the intersection equals
the duration of the record. The comparison indicator is the first
character of the range specification, without spaces.
Examples are:
-t n14:10:15-14:10:19 records include these 4s.
-t c14:10-14:10:10 record starts and ends within these 10s.
-T <secs>
Read argus(5) from remote server for <secs> of time.
-u Print time values using UTC time format.
-w <file> [filter-expression]
Append matching data to <file>, in argus file format. An output-
file of '-' directs ra to write the argus(5) records to stdout,
allowing for "chaining" ra* style commands together. The optional
filter-expression can be used to select specific output.
-X Don't read the default rarc file.
-z Modify state field to represent TCP state changes. The values of
the state field when this is enabled are:
's' - Syn Transmitted
'S' - Syn Acknowledged
'E' - TCP Established
'f' - Fin Transmitted (FIN Wait State 1)
'F' - Fin Acknowledged (FIN Wait State 2)
'R' - TCP Reset
-Z <s|d|b>
Modify state field to reprsent actual TCP flag values. <'s'rc |
'd'st | 'b'oth>. The characters that can be present in the state
field when this is enabled are:
'F' - Fin
'S' - Syn
'R' - Reset
'P' - Push
'A' - Ack
'U' - Urgent Pointer
'7' - Undefined 7th bit set
'8' - Undefined 8th bit set
FILTER EXPRESSION
If arguments remain after option processing, the collection is inter‐
preted as a single filter expression. In order to indicate the end of
arguments, a '-' is recommended before the filter expression is added
to the command line.
The filter expression specifies which argus(5) records will be selected
for processing. If no expression is given, all records are selected,
otherwise, only those records for which expression is `true' will be
printed.
The syntax is very similar to the expression syntax for tcpdump(1), as
the tcpdump compiler was the basis for the argus(5) filter expression
compiler. The semantics for tcpdump(1)'s packet filter expression are
different when applied to transaction record filtering, so there are
some major differences.
The expression consists of one or more primitives. Primitives usually
consist of an id (name or number) preceded by one or more qualifiers.
There are three different kinds of qualifier:
type qualifiers say what kind of thing the id name or number refers
to. Possible types are srcid, encaps, host, net, port, tos,
ttl, ptks, bytes, appbytes, data, rate, load, loss, ploss, mid,
vid, vpri, and mid.
E.g., `srcid isis`, `encaps gre', `host sphynx', `net
192.168.0.0/16', `port domain', `ttl 1', 'ptks gt 2', If there
is no type qualifier, host is assumed.
dir qualifiers specify a particular transfer direction to and/or
from an id. Possible directions are src, dst, src or dst and
src and dst. E.g., `src sphynx', `dst net 192.168.0.0/24', `src
or dst port ftp', `src and dst tos 0x0a', `src or dst vid 0x12`,
`dst vpri 0x02` . If there is no dir qualifier, src or dst is
assumed.
proto qualifiers restrict the match to a particular protocol. Possi‐
ble values are those specified in the /etc/protocols system file
and a small number of extensions, (that should be defined but
aren't). Specific extended values are 'ipv4', (to specify just
ip version 4), in contrast to the defined proto 'ipv6'. The
defined proto 'ip' reduces to the filter 'ipv4 or ipv6'.
When preceeded by ether, the protocol names and numbers that are
valid are specified in ./include/ethernames.h.
In addition to the above, there are some special `primitive' keywords
that don't follow the pattern: gateway, multicast, and broadcast. All
of these are described below.
More complex filter expressions are built up by using the words and, or
and not to combine primitives. E.g., `host foo and not port ftp and
not port ftp-data'. To save typing, identical qualifier lists can be
omitted. E.g., `tcp dst port ftp or ftp-data or domain' is exactly the
same as `tcp dst port ftp or tcp dst port ftp-data or tcp dst port
domain'.
Allowable primitives are:
srcid argusid
True if the argus identifier field in the Argus record is srcid,
which may be an IP address, a name or a decimal/hexidecimal num‐
ber.
encaps type
True if the encapsulation used by the flow in the Argus record
includes the type. The list of valid encapsulation types is:
mpls, eth, 802q, llc, pppoe, isl, gre, ah, ipnip, ipnip6, chdlc
dst host host
True if the IP destination field in the Argus record is host,
which may be either an address or a name.
src host host
True if the IP source field in the Argus record is host.
host host
True if either the IP source or destination in the Argus record is host.
Any of the above host expressions can be prepended with the keywords
ip, arp, or rarp as in:
ip host host
which is equivalent to:
ether proto ip and host host
If host is a name with multiple IP addresses, each address will
be checked for a match.
ether dst ehost
True if the ethernet destination address is ehost. Ehost may be
either a name from /etc/ethers or a number (see ethers(3N) for
numeric format).
ether src ehost
True if the ethernet source address is ehost.
ether host ehost
True if either the ethernet source or destination address is
ehost.
gateway host
True if the transaction used host as a gateway. I.e., the eth‐
ernet source or destination address was host but neither the IP
source nor the IP destination was host. Host must be a name and
must be found in both /etc/hosts and /etc/ethers. (An equiva‐
lent expression is
ether host ehost and not host host
which can be used with either names or numbers for host /
ehost.)
dst net cidr
True if the IP destination address in the Argus record matches
the cidr address.
src net cidr
True if the IP source address in the Argus record matches the
cidr address.
net cidr
True if either the IP source or destination address in the Argus
record matches cidr address.
dst port port
True if the network transaction is ip/tcp or ip/udp and has a
destination port value of port. The port can be a number or a
name used in /etc/services (see tcp(4P) and udp(4P)). If a name
is used, both the port number and protocol are checked. If a
number or ambiguous name is used, only the port number is
checked (e.g., dst port 513 will print both tcp/login traffic
and udp/who traffic, and port domain will print both tcp/domain
and udp/domain traffic).
src port port
True if the network transaction has a source port value of port.
port port
True if either the source or destination port in the Argus
record is port. Any of the above port expressions can be
prepended with the keywords, tcp or udp, as in:
tcp src port port
which matches only tcp connections.
ip proto protocol
True if the Argus record is an ip transaction (see ip(4P)) of
protocol type protocol. Protocol can be a number or any of the
string values found in /etc/protocols.
multicast
True if the network transaction involved an ip multicast
address. By specifing ether multicast, you can select argus
records that involve an ethernet multicast address.
broadcast
True if the network transaction involved an ip broadcast
address. By specifing ether broadcast, you can select argus
records that involve an ethernet broadcast address.
ether proto protocol
True if the Argus record is of ether type protocol. Protocol
can be a number or a name like ip, arp, or rarp.
[src | dst] ttl [gt | gte | lt | lte | eq] number
True if the TTL in the Argus record equals number.
[src | dst] tos [gt | gte | lt | lte | eq] number
True if the TOS in the Argus record (default) equals number.
[src | dst] vid [gt | gte | lt | lte | eq] number
True if th VLAN id in the Argus record (default) equals number.
[src | dst] vpri [gt | gte | lt | lte | eq] number
True if the VLAN priority in the Argus record (default) equals
number.
[src | dst] mid [gt | gte | lt | lte | eq] number
True if the MPLS Label in the Argus record (default) equals num‐
ber.
[src | dst] pkts [gt | gte | lt | lte | eq] number
True if the packet count in the Argus record (default) equals
number.
[src | dst] bytes [gt | gte | lt | lte | eq] number
True if the byte count in the Argus record (default) equals num‐
ber.
[src | dst] appbytes [gt | gte | lt | lte | eq] number
True if the application byte count in the Argus record (default)
equals number.
[src | dst] rate [gt | gte | lt | lte | eq] number
True if the rate in the Argus record (default) equals number.
[src | dst] load [gt | gte | lt | lte | eq] number
True if the load in the Argus record (default) equals number.
Ra filter expressions support primitives that are specific to flow
states and can be used to select flow records that were in these states
at the time they were generated. normal, wait, timeout, est or con
Primitives that select flows that experienced fragmentation. frag and
fragonly
Support for selecting flows that used multiple pairs of MAC addresses
during their lifetime. multipath
Primitives specific to TCP flows are supported. syn, synack, ecn, fin,
finack, reset, retrans, outoforder and winshut
Primitives specific to ICMP flows are supported. echo, unreach, redi‐
rect and timexed
For some primitives, a direction qualifier is appropriate. These are
frag, reset, retrans, outoforder and winshut
Primitives may be combined using:
A parenthesized group of primitives and operators (parentheses
are special to the Shell and must be escaped).
Negation (`!' or `not').
Concatenation (`and').
Alternation (`or').
Negation has highest precedence. Alternation and concatenation have
equal precedence and associate left to right. Note that explicit and
tokens, not juxtaposition, are now required for concatenation.
If an identifier is given without a keyword, the most recent keyword is
assumed. For example,
not host sphynx and anubis
is short for
not host sphynx and host anubis
which should not be confused with
not ( host sphynx or anubis )
Expression arguments can be passed to ra(1) as either a single argument
or as multiple arguments, whichever is more convenient. Generally, if
the expression contains Shell metacharacters, it is easier to pass it
as a single, quoted argument. Multiple arguments are concatenated with
spaces before being parsed.
Startup Processing
Ra begins by searching for the configuration file .rarc first in the
directory, $ARGUSHOME and then $HOME. If a .rarc is found, all vari‐
ables specified in the file are set.
Ra then parses its command line options and set its internal variables
accordingly.
If a configuration file is specified on the command-line, using the "-f
<confile>" option, the values in this .rarc formatted file superceed
all other values.
EXAMPLES
To report all TCP transactions from and to host 'narly.wave.com', read‐
ing transaction data from argus-file argus.data:
ra-r argus.data - tcp and host narly.wave.com
Create the argus-file icmp.log with all ICMP events involving the host
nimrod, using data from argus-file, but reading the transaction data
from stdin:
cat argus-file | ra-r - -w icmp.log - icmp and host nimrod
OUTPUT FORMAT
The following is a brief description of the default output of .B ra.
While this is by no means the 'preferred' set of data that one should
generate, it represents a starting point for using flow data in gen‐
eral. This also looks pretty good on 80 column terminals. The format
is:
time proto srchost dir dsthost metrics state
time
The format of the time field is specified by the .rarc file, using
syntax supported by the routine strftime(3V). The default is '%T'.
Argus transactional data contains both starting and ending transac‐
tion times, with precision to the microsecond. However, ra by
default prints out the 'stime' field, the records starting time.
proto [options protocol]
The proto indicator consists of two fields. The first is protocol
specific and the designations are:
T - Time Corrected/Adjusted
* - Multiple sub-IP encapsulations
m - MPLS encapsulated flow
e - Ethernet encapsulated flow
l - LLC encapsulated flow
v - 802.11Q encapsulations/tags
w - 802.11 wireless encapsulation
p - PPP over Enternet encapsulated flow
i - ISL encapsulated flow
G - GRE encapsulation
a - AH encapsulation
P - IP tunnel encapsulation
6 - IPv6 tunnel encapsulation
H - HDLC encapsulation
C - Cisco HDLC encapsulation
A - ATM encapsulation
S - SLL encapsulation
F - FDDI encapsulation
s - SLIP encapsulation
R - ARCNET encapsulation
I - ICMP events mapped to this flow
U - ICMP Unreachable event mapped to this flow
R - ICMP Redirect event mapped to this flow
T - ICMP Time Exceeded mapped to this flow
* - Both Src and Dst loss/retransmission
s - Src loss/retransmissions
d - Dst loss/retransmissions
& - Both Src and Dst packet out of order
i - Src packets out of order
r - Dst packets out of order
@ - Both Src and Dst Window Closure
S - Src TCP Window Closure
D - Dst TCP Window Closure
E - Both Src and Dst ECN
x - Src Explicit Congestion Notification
t - Dst ECN
V - Fragment overlap seen
f - Partial Fragment
F - Fragments seen
O - multiple IP options set
S - IP option Strict Source Route
L - IP option Loose Source Route
T - IP option Time Stamp
+ - IP option Security
R - IP option Record Route
A - IP option Router Alert
U - unknown IP options set
The second field indicates the upper protocol used in the transac‐
tion. This field will contain the first 4 characters of the offi‐
cial name for the protocol used, as defined in RFC-1700. Argus
attempts to discovery the Realtime Transport Protocol, when it is
being used. When it encounters RTP, it will indicate its use in
this field, with the string 'rtp'. Use of the -n option, twice
(-nn), will cause the actual protocol number to be displayed.
srchost
The srchost field is meant to convey the originator of the data in
the flow. This field is protocol dependent, and for IP protocols
will contain the src IP address/name. For TCP and UDP, the field
will also contain the port number/name, separated by a period.
The 'src' is generally the entity that first transmits a packet
that is a part of a flow. However, the assignment of 'src' and
'dst' semantics is somewhat complicated by the notion of loss, or
half-duplex monitoring, especially when connection-oriented proto‐
col , such as TCP, are reported. In this case the 'src' is the
entity that initiated the flow.
dir
The dir field will have the direction of the transaction, as can be
best determined from the datum, and is used to indicate which hosts
are transmitting. For TCP, the dir field indicates the actual source
of the TCP connection, and the center character indicating the state
of the transaction.
- - transaction was NORMAL
| - transaction was RESET
o - transaction TIMED OUT.
? - direction of transaction is unknown.
dsthost
The dsthost field is meant to convey the recipient of the data in
the flow. Like the srchost field, this field is protocol depen‐
dent, and for IP protocols will contain the dst IP address/name,
and optionally the DSAP.
metrics
metrics represent the general sets of fields that reflect the
activity of the flow. In the default output, there are 4 fields.
The first 2 are the packet counts and the last 2 are the byte
counts for the specific transaction. The fields are paired with
the previous host fields, and represent the packets transmitted by
the respective host.
state
The state field indicates the principle state for the transaction
report, and is protocol dependent. For all the protocols, except
ICMP, this field reports on the basic state of a transaction.
REQ|INT (requested|initial)
This indicates that this is the initial state report for a transac‐
tion and is seen only when the argus-server is in DETAIL mode. For
TCP connections this is REQ, indicating that a connection is being
requested. For the connectionless protocols, such as UDP, this is
INT.
ACC (accepted)
This indicates that a request/response condition has occurred, and
that a transaction has been detected between two hosts. For TCP,
this indicates that a connection request has been answered, and the
connection will be accepted. This is only seen when the argus-
server is in DETAIL mode. For the connectionless protocols, this
state indicates that there has been a single packet exchange
between two hosts, and could qualify as a request/response transac‐
tion.
EST|CON (established|connected)
This record type indicates that the reported transaction is active,
and has been established or is continuing. This should be inter‐
preted as a state report of a currently active transaction. For
TCP, the EST state is only seen in DETAIL mode, and indicates that
the three way handshake has been completed for a connection.
CLO (closed)
TCP specific, this record type indicates that the TCP connection
has closed normally.
TIM (timeout)
Activity was not seen relating to this transaction, during the
argus server's timeout period for this protocol. This state is
seen only when there were packets recorded since the last report
for this transaction.
For the ICMP and ICMPv6 protocols, the state field displays specific
aspects of the ICMP type. ICMP state can have the values:
ECO Echo Request
ECR Echo Reply
SRC Source Quench
RED Redirect
RTA Router Advertisement
RTS Router Solicitation
TXD Time Exceeded
PAR Parameter Problem
TST Time Stamp Request
TSR Time Stamp Reply
IRQ Information Request
IRR Information Reply
MAS Mask Request
MSR Mask Reply
URN Unreachable network
URH Unreachable host
URP Unreachable port
URF Unreachable need fragmentation
URS Unreachable source failed
URNU Unreachable dst network unknown
URHU Unreachable dst host unknown
URISO Unreachable source host isolated
URNPRO Unreachable network administrative prohibited
URHPRO Unreachable host administrative prohibited
URNTOS Unreachable network TOS prohibited
URHTOS Unreachable host TOS prohibited
URFIL Unreachable administrative filter
URPRE Unreachable precedence violation
URCUT Unreachable precedence cutoff
MRQ Membership Query
MHR Membership Report
NDS Neighbor Discovery Router Solicit
NDA Neighbor Discovery Router Advertisement
NDN Neighbor Discovery Neighbor Solicit
NDR Neighbor Discovery Neighbor Advertisement
PTB Packet Too Big
OUTPUT EXAMPLES
These examples show typical ra output, and demonstrates a number of
variations seen in argus data. This ra output was generated using the
-n option to suppress number translation.
Thu 12/29 06:40:32 S tcp 132.3.31.15.6439 -> 12.23.14.77.23 CLO
This is a normal tcp transaction to the telnet port on host
12.23.14.77. The IP Option strict source route was seen.
Thu 12/29 06:40:32 tcp 132.3.31.15.6200 <| 12.23.14.77.25 RST
This tcp transaction from the smtp port of host 12.23.14.77 was RESET.
In many cases this indicates that the transaction was rejected, however
some os's will use RST to close an active TCP. Use either the -z or
-Zb options to specify exactly what conditions existed during the con‐
nection.
Thu 12/29 03:39:05 M igmp 12.88.14.10 <-> 128.2.2.10 CON
This is an igmp transaction state report, usually seen with MBONE traf‐
fic. There was more than one source and destination MAC address pair
used to support the transaction, suggesting a possible routing loop.
Thu 12/29 06:40:05 * tcp 12.23.14.23.1043 <-> 12.23.14.27.6000 TIM
This is an X-windows transaction, that has TIMEDOUT. Packets were
retransmitted during the connection.
Thu 12/29 07:42:09 udp 12.9.1.115.2262 -> 28.12.141.6.139 INT
This is an initial netbios UDP transaction state report, indicating
that this is the first datagram encountered for this transaction.
Thu 12/29 06:42:09 icmp 12.9.1.115 <-> 12.68.5.127 ECO
This example represents a "ping" of host 12.9.1.115, and its response.
This next example shows the ra output of a complete TCP transaction, with the
preceeding Arp and DNS requests, while reading from a remote argus-server.
The '*' in the CLO report indicates that at least one TCP packet was retrans‐
mitted during the transaction. The hostnames in this example are ficticious.
% ra-S argus-server and host i.qosient.com
ra: Trying argus-server port 561
ra: connected Argus Version 3.0
Sat 12/03 15:29:38 arp i.qosient.com who-has dsn.qosient.com INT
Sat 12/03 15:29:39 udp i.qosient.com.1542 <-> dns.qosient.53 INT
Sat 12/03 15:29:39 arp i.qosient.com who-has qosient.com INT
Sat 12/03 15:29:39 * tcp i.qosient.com.1543 -> qosient.com.smtp CLO
AUTHORS
Carter Bullard (carter@qosient.com).
FILES
/etc/ra.conf
SEE ALSOargus(8)tcpdump(1),
Postel, Jon, Internet Protocol, RFC 791, Network Information Center, SRI
International, Menlo Park, Calif., May 1981.
Postel, Jon, Internet Control Message Protocol, RFC 792, Network Infor‐
mation Center, SRI International, Menlo Park, Calif., May 1981.
Postel, Jon, Transmission Control Protocol, RFC 793, Network Information
Center, SRI International, Menlo Park, Calif., May 1981.
Postel, Jon, User Datagram Protocol, RFC 768, Network Information Cen‐
ter, SRI International, Menlo Park, Calif., May 1980.
McCanne, Steven, and Van Jacobson, The BSD Packet Filter: A New Archi‐
tecture for User-level Capture, Lawrwnce Berkeley Laboratory, One
Cyclotron Road, Berkeley, Calif., 94720, December 1992.
ra 3.0 12 November 2007 RA(1)
