RADUMP(1) General Commands Manual RADUMP(1)

radump - tcpdump processing of the user data buffers from an argus(8) data file/stream.

radump -r argus-file [raoptions] [-- filter-expression]

Radump reads argus data from an argus data stream or file, and prints out tcpdump style decoding of the user data buffers.

Radump, like all ra based clients, supports a number of ra options including filtering of input argus records through a terminating filter expression. See ra(1) for a complete description of ra options.

This example dumps the user capture buffers of arp traffic seen in the file. When there is no user buffer, or if the decoder can;t decode it, the length will 0.

% radump -r argus.file -s suser:64 duser:64 -N 5 - arp
                           srcUdata                                          dstUdata
  s[38]="who-has 192.168.0.66 tell 192.168.0.68"        d[36]="192.168.0.68 is-at c8:2a:14:58:7a:55"                    
  s[37]="who-has 192.168.0.1 tell 192.168.0.68"         d[36]="192.168.0.68 is-at 80:71:1f:3c:c3:88"                    
  s[37]="who-has 192.168.0.1 tell 192.168.0.66"          d[0]=""                                                        
  s[37]="who-has 192.168.0.1 tell 192.168.0.78"          d[0]=""                                                        
  s[38]="who-has 192.168.0.34 tell 192.168.0.66"         d[0]=""

This example decodes the user capture buffers of DNS traffic seen in the file.

% radump -s stime pkts suser:64 duser:64 -r ~/argus/data/argus*00.out.gz - port domain
      StartTime  TotPkts                                 srcUdata                                         dstUdata                                  
17:48:36.589949        2  s[37]="48936+ [_] A? www.cylab.cmu.edu. (35)"          d[32]="48936 1/3/0 A 128.2.129.188 (64)"                        
17:48:36.590557        2  s[30]="3018+ [_] A? qosient.com. (29)"                 d[31]="3018 1/2/0 A 216.92.14.146 (64)"                         
17:48:36.708172        2  s[39]="27243+ [_] A? ajax.googleapis.com. (37)"        d[26]="27243 2/4/4 CNAME[|domain]"                              
17:48:36.776033        2  s[31]="45149+ [_] A? nsmwiki.org. (29)"                d[33]="45149 1/3/0 A 69.163.152.168 (64)"                       
17:48:36.776501        2  s[40]="51781+ [_] A? www.surveymonkey.com. (38)"       d[31]="51781 1/13/0 A 75.98.93.51 (64)"                         
17:48:36.776655        2  s[31]="38953+ [_] A? www.cmu.edu. (29)"                d[51]="38953 3/2/1 CNAME WWW-CMU.ANDREW.cmu.edu.,[|domain]"     
17:48:36.777014        2  s[32]="64748+ [_] A? www.cert.org. (30)"               d[33]="64748 1/2/0 A 192.88.209.244 (64)"                       
17:48:36.978293        2  s[44]="53009+ [_] A? www.google-analytics.com. (42)"   d[27]="53009 17/4/4 CNAME[|domain]"

This example decodes the user capture buffers of HTTP traffic seen in the file.

radump -s stime proto dport pkts suser:32 duser:32 -r ~/argus/data/argus*00.out.gz -L0 -N5 - port http
      StartTime  Proto Dport  TotPkts                 srcUdata                            dstUdata                  
17:48:36.592155    tcp  http       27  s[32]="GET /research/cydat.html"  d[32]="HTTP/1.1 200 OK..Date: M"
17:48:36.632662    tcp  http       24  s[32]="GET /argus/ HTTP/1.1..Ho"  d[32]="HTTP/1.1 200 OK..Date: M"
17:48:36.705481    tcp  http       23  s[32]="GET /files/css/public.cs"  d[32]="HTTP/1.1 200 OK..Date: M"
17:48:36.705669    tcp  http       11  s[32]="GET /files/css/public_1c"  d[32]="HTTP/1.1 200 OK..Date: M"
17:48:36.705987    tcp  http       15  s[32]="GET /files/js/home.js HT"  d[32]="HTTP/1.1 200 OK..Date: M"

Copyright (c) 2000-2016 QoSient. All rights reserved.

Carter Bullard (carter@qosient.com).

ra(1), rarc(5), argus(8)

07 November 2000 radump 3.0.8