DOKK / manpages / debian 13 / argus-client / ragen.1.en
RAGEN(1) General Commands Manual RAGEN(1)

ragen - generate synthetic argus(8) data streams / files.

ragen [-f conf] [-m agr(s)] [-M mode(s)] [-P procnum] [raoptions] [-- filter-expression]

Ragen reads argus data from an argus-data source, and uses the data as a baseline to generate synthetic argus data records. The synthetic data is based on the input data and the flow key criteria specified either on the command line, or in a ragen configuration file, and outputs a valid argus-stream. This tool is primarily used to create AI/ML training data.

Please see ragen.5 for detailed information regarding ragen configuration.

Ragen, like all ra based clients, supports a number of ra options including filtering of input argus records through a terminating filter expression, and the ability to specify the output style, format and contents for printing data. See ra(1) for a complete description of ra options. ragen(1) specific options are:

Supported aggregation objects are:

do not merge records (results in no aggregation).
merge all records into a single record.
argus source identifier.
source mac(ether) addr.
destination mac(ether) addr.
oui portion of the source mac(ether) addr.
oui portion of the destination mac(ether) addr.
source mpls label.
destination label addr.
source vlan label.
destination vlan addr.
source IP addr/[cidr len | m.a.s.k].
destination IP addr/[cidr len | m.a.s.k].
sorted src and dst IP addr/cidr len.
transaction protocol.
source port number. Implies use of 'proto'.
destination port number. Implies use of 'proto'.
source TOS byte value.
destination TOS byte value.
src -> dst TTL value.
dst -> src TTL value.
src -> dst TCP base sequence number.
dst -> src TCP base sequence number.
intermediate node IP addr/[cidr len | m.a.s.k], source of ICMP mapped events.
source ARIN country code, if present.
destination ARIN country code, if present.
source node origin AS number, if available.
destination node origin AS number, if available.
intermediate node origin AS number, if available.

Supported modes are:

Attempt to correct the direction of flows by also searching the reverse flow key, if a match isn't found in the cache. This mode is on by default when using the default full 5-tuple flow key definitions.
Turn off flow correction for direction. This mode is used by default if the flow key has been changed.
Do not generate an aggregate statistic for each flow. This is used primarily when the output represents a single object. Primarily used when merging status records to generate single flows that represent single transactions.
Generate data suitable for producing RMON types of metrics.
Process each input file independantly, so that after the end of each inputfile, ragen flushes its output.
Replace each inputfile contents, with the aggregated output. The initial file compression status is maintained
Specify the number of processors to use for aggregation. Default is 1.

Verbose operation, printing a line of output for each input file processed. Very useful when using the ra() -R option.

A sample invocation of ragen(1). This call reads argus(8) data from inputfile and aggregates the TCP protocol based argus(8) data. By default, ragen(1) merges using the standard 5-tuple flow key. This method is used to merge multiple status records into a single flow record per transaction.

% ra -r argus.tcp.2012.02.13.12.20.00 


    StartTime      Dur Trans      Flgs  Proto        SrcAddr  Sport   Dir        DstAddr  Dport  TotPkts State 


 12:23:07.268    0.997     1  e i         tcp   192.168.0.68.59016     ->  208.59.201.75.http        298   CON


 12:23:08.294    1.000     1  e           tcp   192.168.0.68.59016     ->  208.59.201.75.http        111   CON


 12:23:09.294    0.991     1  e d         tcp   192.168.0.68.59016     ->  208.59.201.75.http        637   CON


 12:23:10.331    0.330     1  e           tcp   192.168.0.68.59016     ->  208.59.201.75.http         89   CON


 12:23:32.183    0.010     1  e           tcp   192.168.0.68.59016     ->  208.59.201.75.http          3   FIN
% ragen -r argus.tcp.2012.02.13.12.20.00


    StartTime      Dur Trans      Flgs  Proto        SrcAddr  Sport   Dir        DstAddr  Dport  TotPkts State 


 12:23:07.268   24.925     5  e d         tcp   192.168.0.68.59016     ->  208.59.201.75.http       1138   FIN

A sample invocation of ragen(1). This call reads argus(8) data from inputfile and aggregates the TCP protocol based argus(8) data, based on the source and destination address matrix and the protocol. It reports the metrics as a percent of the total.

% ragen -r argus.2012.02.13.17.20.00 -m saddr/16 daddr proto -% \


       -s stime dur trans proto saddr dir daddr pkts state - tcp and port https


    StartTime      Dur   pTrans  Proto        SrcAddr  Dir        DstAddr  pTotPkts State 


 17:49:54.225    8.101   33.333    tcp 192.168.0.0/16   ->   17.154.66.18    23.372   FIN


 17:48:42.607  179.761   13.333    tcp 192.168.0.0/16   ->  17.172.224.25    31.052   FIN


 17:50:01.113    0.803    6.667    tcp 192.168.0.0/16   -> 17.250.248.161     5.676   FIN


 17:49:54.525    1.153    6.667    tcp 192.168.0.0/16   ->  64.12.173.137     5.509   FIN


 17:50:35.411  101.133   26.667    tcp 192.168.0.0/16   ->  184.28.150.87    19.199   RST


 17:49:56.061   73.415    6.667    tcp 192.168.0.0/16   ->   205.188.8.47    11.018   RST


 17:49:55.677    0.434    6.667    tcp 192.168.0.0/16   -> 205.188.101.10     4.174   FIN

Copyright (c) 2000-2024 QoSient. All rights reserved.

racluster(5), ra(1), rarc(5), argus(8),

Carter Bullard (carter@qosient.com).

07 October 2023 ragen 5.0.3