1RADUMP(1) General Commands Manual RADUMP(1)
2
3
4
6 radump - tcpdump processing of the user data buffers from an argus(8)
7 data file/stream.
8
9
11 radump -r argus-file [raoptions] [-- filter-expression]
12
13
15 Radump reads argus data from an argus data stream or file, and prints
16 out tcpdump style decoding of the user data buffers.
17
19 Radump, like all ra based clients, supports a number of ra options
20 including filtering of input argus records through a terminating filter
21 expression. See ra(1) for a complete description of ra options.
22
23
25 This example dumps the user capture buffers of arp traffic seen in the
26 file. When there is no user buffer, or if the decoder can;t decode it,
27 the length will 0.
28
29 % radump -r argus.file -s suser:64 duser:64 -N 5 - arp
30 srcUdata dstUdata
31 s[38]="who-has 192.168.0.66 tell 192.168.0.68" d[36]="192.168.0.68 is-at c8:2a:14:58:7a:55"
32 s[37]="who-has 192.168.0.1 tell 192.168.0.68" d[36]="192.168.0.68 is-at 80:71:1f:3c:c3:88"
33 s[37]="who-has 192.168.0.1 tell 192.168.0.66" d[0]=""
34 s[37]="who-has 192.168.0.1 tell 192.168.0.78" d[0]=""
35 s[38]="who-has 192.168.0.34 tell 192.168.0.66" d[0]=""
36
37 This example decodes the user capture buffers of DNS traffic seen in
38 the file.
39
40 % radump -s stime pkts suser:64 duser:64 -r ~/argus/data/argus*00.out.gz - port domain
41 StartTime TotPkts srcUdata dstUdata
42 17:48:36.589949 2 s[37]="48936+ [_] A? www.cylab.cmu.edu. (35)" d[32]="48936 1/3/0 A 128.2.129.188 (64)"
43 17:48:36.590557 2 s[30]="3018+ [_] A? qosient.com. (29)" d[31]="3018 1/2/0 A 216.92.14.146 (64)"
44 17:48:36.708172 2 s[39]="27243+ [_] A? ajax.googleapis.com. (37)" d[26]="27243 2/4/4 CNAME[|domain]"
45 17:48:36.776033 2 s[31]="45149+ [_] A? nsmwiki.org. (29)" d[33]="45149 1/3/0 A 69.163.152.168 (64)"
46 17:48:36.776501 2 s[40]="51781+ [_] A? www.surveymonkey.com. (38)" d[31]="51781 1/13/0 A 75.98.93.51 (64)"
47 17:48:36.776655 2 s[31]="38953+ [_] A? www.cmu.edu. (29)" d[51]="38953 3/2/1 CNAME WWW-CMU.ANDREW.cmu.edu.,[|domain]"
48 17:48:36.777014 2 s[32]="64748+ [_] A? www.cert.org. (30)" d[33]="64748 1/2/0 A 192.88.209.244 (64)"
49 17:48:36.978293 2 s[44]="53009+ [_] A? www.google-analytics.com. (42)" d[27]="53009 17/4/4 CNAME[|domain]"
50
51 This example decodes the user capture buffers of HTTP traffic seen in
52 the file.
53
54 radump -s stime proto dport pkts suser:32 duser:32 -r ~/argus/data/argus*00.out.gz -L0 -N5 - port http
55 StartTime Proto Dport TotPkts srcUdata dstUdata
56 17:48:36.592155 tcp http 27 s[32]="GET /research/cydat.html" d[32]="HTTP/1.1 200 OK..Date: M"
57 17:48:36.632662 tcp http 24 s[32]="GET /argus/ HTTP/1.1..Ho" d[32]="HTTP/1.1 200 OK..Date: M"
58 17:48:36.705481 tcp http 23 s[32]="GET /files/css/public.cs" d[32]="HTTP/1.1 200 OK..Date: M"
59 17:48:36.705669 tcp http 11 s[32]="GET /files/css/public_1c" d[32]="HTTP/1.1 200 OK..Date: M"
60 17:48:36.705987 tcp http 15 s[32]="GET /files/js/home.js HT" d[32]="HTTP/1.1 200 OK..Date: M"
61
62
64 Copyright (c) 2000-2016 QoSient. All rights reserved.
65
66
68 Carter Bullard (carter@qosient.com).
69
71 ra(1), rarc(5), argus(8)
72
73
74
75radump 3.0.8 07 November 2000 RADUMP(1)