DOKK / manpages / debian 11 / argus-client / radump.1.en
RADUMP(1) General Commands Manual RADUMP(1)

radump - tcpdump processing of the user data buffers from an argus(8) data file/stream.

radump -r argus-file [raoptions] [-- filter-expression]

Radump reads argus data from an argus data stream or file, and prints out tcpdump style decoding of the user data buffers.

Radump, like all ra based clients, supports a number of ra options including filtering of input argus records through a terminating filter expression. See ra(1) for a complete description of ra options.

This example dumps the user capture buffers of arp traffic seen in the file. When there is no user buffer, or if the decoder can;t decode it, the length will 0.

% radump -r argus.file -s suser:64 duser:64 -N 5 - arp

srcUdata dstUdata
s[38]="who-has 192.168.0.66 tell 192.168.0.68" d[36]="192.168.0.68 is-at c8:2a:14:58:7a:55"
s[37]="who-has 192.168.0.1 tell 192.168.0.68" d[36]="192.168.0.68 is-at 80:71:1f:3c:c3:88"
s[37]="who-has 192.168.0.1 tell 192.168.0.66" d[0]=""
s[37]="who-has 192.168.0.1 tell 192.168.0.78" d[0]=""
s[38]="who-has 192.168.0.34 tell 192.168.0.66" d[0]=""

This example decodes the user capture buffers of DNS traffic seen in the file.

% radump -s stime pkts suser:64 duser:64 -r ~/argus/data/argus*00.out.gz - port domain

StartTime TotPkts srcUdata dstUdata 17:48:36.589949 2 s[37]="48936+ [_] A? www.cylab.cmu.edu. (35)" d[32]="48936 1/3/0 A 128.2.129.188 (64)" 17:48:36.590557 2 s[30]="3018+ [_] A? qosient.com. (29)" d[31]="3018 1/2/0 A 216.92.14.146 (64)" 17:48:36.708172 2 s[39]="27243+ [_] A? ajax.googleapis.com. (37)" d[26]="27243 2/4/4 CNAME[|domain]" 17:48:36.776033 2 s[31]="45149+ [_] A? nsmwiki.org. (29)" d[33]="45149 1/3/0 A 69.163.152.168 (64)" 17:48:36.776501 2 s[40]="51781+ [_] A? www.surveymonkey.com. (38)" d[31]="51781 1/13/0 A 75.98.93.51 (64)" 17:48:36.776655 2 s[31]="38953+ [_] A? www.cmu.edu. (29)" d[51]="38953 3/2/1 CNAME WWW-CMU.ANDREW.cmu.edu.,[|domain]" 17:48:36.777014 2 s[32]="64748+ [_] A? www.cert.org. (30)" d[33]="64748 1/2/0 A 192.88.209.244 (64)" 17:48:36.978293 2 s[44]="53009+ [_] A? www.google-analytics.com. (42)" d[27]="53009 17/4/4 CNAME[|domain]"

This example decodes the user capture buffers of HTTP traffic seen in the file.

radump -s stime proto dport pkts suser:32 duser:32 -r ~/argus/data/argus*00.out.gz -L0 -N5 - port http

StartTime Proto Dport TotPkts srcUdata dstUdata 17:48:36.592155 tcp http 27 s[32]="GET /research/cydat.html" d[32]="HTTP/1.1 200 OK..Date: M" 17:48:36.632662 tcp http 24 s[32]="GET /argus/ HTTP/1.1..Ho" d[32]="HTTP/1.1 200 OK..Date: M" 17:48:36.705481 tcp http 23 s[32]="GET /files/css/public.cs" d[32]="HTTP/1.1 200 OK..Date: M" 17:48:36.705669 tcp http 11 s[32]="GET /files/css/public_1c" d[32]="HTTP/1.1 200 OK..Date: M" 17:48:36.705987 tcp http 15 s[32]="GET /files/js/home.js HT" d[32]="HTTP/1.1 200 OK..Date: M"

Copyright (c) 2000-2016 QoSient. All rights reserved.

Carter Bullard (carter@qosient.com).

ra(1), rarc(5), argus(8)

07 November 2000 radump 3.0.8