ARGUS

[Carter Bullard]

Hey Peter,
   Thanks for the Perl script.  Is it OK to put
it in the contrib section of the 1.8 tar file?

   I have fixed the known TCP byte reporting
problems in 1.8.  I do emphasis the "known" part,
and so we'll see how long this statement lasts.

Hope all is well,

Carter


-----Original Message-----
From: Peter Van Epp [mailto:vanepp at sfu.ca]
Sent: Friday, May 28, 1999 6:53 PM
To: argus at lists.andrew.cmu.edu
Subject: Re: ARGUS


> 
> 
> 
> There are no summary stats in any of the clients in 1.7,
> but there is some provision for this in the upcoming 1.8.
> Stay tuned.
> mark.

	Til then here is a quick and dirty perl script which takes output from
ra as in 

ra -r argus.log -c -n | argus.pl >logfile

and prints out byte counts by IP address and by address pair. Note that Argus
used to sometimes give large bogus counts for connections that didn't end
with a correct sequence number, and I expect it still does so the numbers 
should be taken with a grain of salt. I use it looking for lab machines with
more traffic than the main campus servers (usually indicating a warez site
running on someone's machine).

#!/usr/local/bin/perl

open(STDIN,$ARGV[0]) || die "Can't open $ARGV[0]: $!\n"
        if $ARGV[0];
$line = 0;
while (<STDIN>) {
        $line ++;
        if (($line % 10000) == 0) {
                print STDERR "Processing $line\n";
        }
        chop;
        $src_bytes = " ";
        $dest_bytes = " ";
        $source_net ="";
        $dest_net ="";
        $src_port = " ";
        $dst_port = " ";
        ($date, $flag, $rest) = unpack("A18 A5 A200",$_);
        ($type, $rest) = split(' ',$rest,2);
        if ($type eq "man") {
                $mid_flag = ' ';
                ($source_ip, $dest_ip, $src_pkt, $dest_pkt, $src_bytes, 
                 $dest_bytes, $end_flag) = split(' ',$rest,7); 
        } elsif ($type eq "icmp") {
                ($source_ip, $mid_flag, $dest_ip, $src_pkt, $dest_pkt, 
                 $end_flag) = split(' ',$rest,6); 
                if ($end_flag =~ /port/) {
                        ($t, $p, $dst_port, $rest) = split(' ',$end_flag);
                }
        } else {
                ($source_ip, $mid_flag, $dest_ip, $src_pkt, $dest_pkt, 
                 $src_bytes, $dest_bytes, $end_flag) = split(' ',$rest,8); 
                ($a,$b,$c,$d,$src_port)= split(/\./,$source_ip);
                $source_ip = "$a.$b.$c.$d";
                $source_net = "$a.$b.$c";
                ($a,$b,$c,$d,$dst_port)= split(/\./,$dest_ip);
                $dest_ip = "$a.$b.$c.$d";
                $dest_net = "$a.$b.$c";
        }
        if ($source_net ne "") {
                $source_net{$source_net} += $src_bytes;
                $source_machine{$source_ip} += $src_bytes;
                $total_bytes += $src_bytes;
                $total_net{$source_net} += $src_bytes;
                $total_machine{$source_ip} += $src_bytes;
                $total_src_dst{"$source_ip $dest_ip"} += $src_bytes;
        }
        if ($dest_net ne "") {
                $dest_net{$dest_net} += $dest_bytes;
                $dest_machine{$dest_ip} += $dest_bytes;
                $total_bytes += $dest_bytes;
                $total_net{$dest_net} += $dest_bytes;
                $total_machine{$dest_ip} += $dest_bytes;
                $total_src_dst{"$source_ip $dest_ip"} += $dest_bytes;
        }
}

foreach $net (keys %total_machine) {
        $count = $total_machine{$net};
        $c_count = &commas($count);
        $total_machine_count{$count} .= "$c_count $net\n";
}

$total_bytes = &commas($total_bytes);
print "\n\ntotal byte count by machine\n\n$total_bytes all machines\n";

foreach $count (sort numerically (keys %total_machine_count)) {
        print "$total_machine_count{$count}";
}

foreach $net (keys %total_src_dst) {
        $count = $total_src_dst{$net};
        $c_count = &commas($count);
        $total_src_dst_count{$count} .= "$c_count $net\n";
}

print "\n\ntotal byte count by machine pair\n\n";

foreach $count (sort numerically (keys %total_src_dst_count)) {
        print "$total_src_dst_count{$count}";
}

foreach $net (keys %total_net) {
        $count = $total_net{$net};
        $c_count = &commas($count);
        $total_net_count{$count} .= "$c_count $net\n";
}

# print "\n\ntotal byte count by net\n\n";
# 
# foreach $count (sort numerically (keys %total_net_count)) {
#       print "$total_net_count{$count}";
# }
# 
# foreach $net (keys %total_machine) {
#       $count = $total_machine{$net};
#       $c_count = &commas($count);
#       $total_machine_count{$count} .= "$c_count $net\n";
# }
# 
# print "\n\ntotal byte count by machine\n\n";
# 
# foreach $count (sort numerically (keys %total_machine_count)) {
#       print "$total_machine_count{$count}";
# }
# 
# foreach $net (keys %source_net) {
#       $count = $source_net{$net};
#       $c_count = &commas($count);
#       $source_net_count{$count} .= "$c_count $net\n";
# }
# 
# print "\n\nSource byte count by net\n\n";
# 
# foreach $count (sort numerically (keys %source_net_count)) {
#       print "$source_net_count{$count}";
# }
# 
# foreach $net (keys %dest_net) {
#       $count = $dest_net{$net};
#       $c_count = &commas($count);
#       $dest_net_count{$count} .= "$c_count $net\n";
# }
# 
# print "\n\nDestination byte count by net\n\n";
# 
# foreach $count (sort numerically (keys %dest_net_count)) {
#       print "$dest_net_count{$count}";
# }
# 
# foreach $machine (keys %source_machine) {
#       $count = $source_machine{$machine};
#       $c_count = &commas($count);
#       $source_machine_count{$count} .= "$c_count $machine\n";
# }
# 
# print "\n\nSource byte count by machine\n\n";
# 
# foreach $count (sort numerically (keys %source_machine_count)) {
#       print "$source_machine_count{$count}";
# }
# 
# foreach $net (keys %dest_machine) {
#       $count = $dest_machine{$net};
#       $c_count = &commas($count);
#       $dest_machine_count{$count} .= "$c_count $net\n";
# }
# 
# print "\n\nDest byte count by machine\n\n";
# 
# foreach $count (sort numerically (keys %dest_machine_count)) {
#       print "$dest_machine_count{$count}";
# }


sub numerically {$b <=> $a;}
sub commas {
        local($_) = @_;
        1 while s/(.*\d)(\d\d\d)/$1,$2/;
        $_;
}