radump - tcpdump processing of the user data buffers from an argus(8) data file/stream.

       Carter Bullard (carter@qosient.com).

       Copyright (c) 2000-2016 QoSient. All rights reserved.

Radump  reads  argus data from an argus data stream or file, and prints out tcpdump style decoding of the
       user data buffers.

       This  example  dumps  the  user  capture  buffers of arp traffic seen in the file.  When there is no user
       buffer, or if the decoder can;t decode it, the length will 0.

       % radump -r argus.file -s suser:64 duser:64 -N 5 - arp
                                  srcUdata                                          dstUdata
         s[38]="who-has 192.168.0.66 tell 192.168.0.68"        d[36]="192.168.0.68 is-at c8:2a:14:58:7a:55"
         s[37]="who-has 192.168.0.1 tell 192.168.0.68"         d[36]="192.168.0.68 is-at 80:71:1f:3c:c3:88"
         s[37]="who-has 192.168.0.1 tell 192.168.0.66"          d[0]=""
         s[37]="who-has 192.168.0.1 tell 192.168.0.78"          d[0]=""
         s[38]="who-has 192.168.0.34 tell 192.168.0.66"         d[0]=""

       This example decodes the user capture buffers of DNS traffic seen in the file.

       % radump -s stime pkts suser:64 duser:64 -r ~/argus/data/argus*00.out.gz - port domain
             StartTime  TotPkts                                 srcUdata                                         dstUdata
       17:48:36.589949        2  s[37]="48936+ [_] A? www.cylab.cmu.edu. (35)"          d[32]="48936 1/3/0 A 128.2.129.188 (64)"
       17:48:36.590557        2  s[30]="3018+ [_] A? qosient.com. (29)"                 d[31]="3018 1/2/0 A 216.92.14.146 (64)"
       17:48:36.708172        2  s[39]="27243+ [_] A? ajax.googleapis.com. (37)"        d[26]="27243 2/4/4 CNAME[|domain]"
       17:48:36.776033        2  s[31]="45149+ [_] A? nsmwiki.org. (29)"                d[33]="45149 1/3/0 A 69.163.152.168 (64)"
       17:48:36.776501        2  s[40]="51781+ [_] A? www.surveymonkey.com. (38)"       d[31]="51781 1/13/0 A 75.98.93.51 (64)"
       17:48:36.776655        2  s[31]="38953+ [_] A? www.cmu.edu. (29)"                d[51]="38953 3/2/1 CNAME WWW-CMU.ANDREW.cmu.edu.,[|domain]"
       17:48:36.777014        2  s[32]="64748+ [_] A? www.cert.org. (30)"               d[33]="64748 1/2/0 A 192.88.209.244 (64)"
       17:48:36.978293        2  s[44]="53009+ [_] A? www.google-analytics.com. (42)"   d[27]="53009 17/4/4 CNAME[|domain]"

       This example decodes the user capture buffers of HTTP traffic seen in the file.

       radump -s stime proto dport pkts suser:32 duser:32 -r ~/argus/data/argus*00.out.gz -L0 -N5 - port http
             StartTime  Proto Dport  TotPkts                 srcUdata                            dstUdata
       17:48:36.592155    tcp  http       27  s[32]="GET /research/cydat.html"  d[32]="HTTP/1.1 200 OK..Date: M"
       17:48:36.632662    tcp  http       24  s[32]="GET /argus/ HTTP/1.1..Ho"  d[32]="HTTP/1.1 200 OK..Date: M"
       17:48:36.705481    tcp  http       23  s[32]="GET /files/css/public.cs"  d[32]="HTTP/1.1 200 OK..Date: M"
       17:48:36.705669    tcp  http       11  s[32]="GET /files/css/public_1c"  d[32]="HTTP/1.1 200 OK..Date: M"
       17:48:36.705987    tcp  http       15  s[32]="GET /files/js/home.js HT"  d[32]="HTTP/1.1 200 OK..Date: M"

radump - tcpdump processing of the user data buffers from an argus(8) data file/stream.

       Radump, like all ra based clients, supports a number of raoptions including  filtering  of  input  argus
       records through a terminating filter expression.  See ra(1) for a complete description of raoptions.

ra(1), rarc(5), argus(8)

radump 3.0.8                                    07 November 2000                                       RADUMP(1)

radump-rargus-file[raoptions][--filter-expression]