ARGUS
Peter Van Epp
vanepp at sfu.ca
Fri May 28 18:52:54 EDT 1999
>
>
>
> There are no summary stats in any of the clients in 1.7,
> but there is some provision for this in the upcoming 1.8.
> Stay tuned.
> mark.
Til then here is a quick and dirty perl script which takes output from
ra as in
ra -r argus.log -c -n | argus.pl >logfile
and prints out byte counts by IP address and by address pair. Note that Argus
used to sometimes give large bogus counts for connections that didn't end
with a correct sequence number, and I expect it still does so the numbers
should be taken with a grain of salt. I use it looking for lab machines with
more traffic than the main campus servers (usually indicating a warez site
running on someone's machine).
#!/usr/local/bin/perl
open(STDIN,$ARGV[0]) || die "Can't open $ARGV[0]: $!\n"
if $ARGV[0];
$line = 0;
while (<STDIN>) {
$line ++;
if (($line % 10000) == 0) {
print STDERR "Processing $line\n";
}
chop;
$src_bytes = " ";
$dest_bytes = " ";
$source_net ="";
$dest_net ="";
$src_port = " ";
$dst_port = " ";
($date, $flag, $rest) = unpack("A18 A5 A200",$_);
($type, $rest) = split(' ',$rest,2);
if ($type eq "man") {
$mid_flag = ' ';
($source_ip, $dest_ip, $src_pkt, $dest_pkt, $src_bytes,
$dest_bytes, $end_flag) = split(' ',$rest,7);
} elsif ($type eq "icmp") {
($source_ip, $mid_flag, $dest_ip, $src_pkt, $dest_pkt,
$end_flag) = split(' ',$rest,6);
if ($end_flag =~ /port/) {
($t, $p, $dst_port, $rest) = split(' ',$end_flag);
}
} else {
($source_ip, $mid_flag, $dest_ip, $src_pkt, $dest_pkt,
$src_bytes, $dest_bytes, $end_flag) = split(' ',$rest,8);
($a,$b,$c,$d,$src_port)= split(/\./,$source_ip);
$source_ip = "$a.$b.$c.$d";
$source_net = "$a.$b.$c";
($a,$b,$c,$d,$dst_port)= split(/\./,$dest_ip);
$dest_ip = "$a.$b.$c.$d";
$dest_net = "$a.$b.$c";
}
if ($source_net ne "") {
$source_net{$source_net} += $src_bytes;
$source_machine{$source_ip} += $src_bytes;
$total_bytes += $src_bytes;
$total_net{$source_net} += $src_bytes;
$total_machine{$source_ip} += $src_bytes;
$total_src_dst{"$source_ip $dest_ip"} += $src_bytes;
}
if ($dest_net ne "") {
$dest_net{$dest_net} += $dest_bytes;
$dest_machine{$dest_ip} += $dest_bytes;
$total_bytes += $dest_bytes;
$total_net{$dest_net} += $dest_bytes;
$total_machine{$dest_ip} += $dest_bytes;
$total_src_dst{"$source_ip $dest_ip"} += $dest_bytes;
}
}
foreach $net (keys %total_machine) {
$count = $total_machine{$net};
$c_count = &commas($count);
$total_machine_count{$count} .= "$c_count $net\n";
}
$total_bytes = &commas($total_bytes);
print "\n\ntotal byte count by machine\n\n$total_bytes all machines\n";
foreach $count (sort numerically (keys %total_machine_count)) {
print "$total_machine_count{$count}";
}
foreach $net (keys %total_src_dst) {
$count = $total_src_dst{$net};
$c_count = &commas($count);
$total_src_dst_count{$count} .= "$c_count $net\n";
}
print "\n\ntotal byte count by machine pair\n\n";
foreach $count (sort numerically (keys %total_src_dst_count)) {
print "$total_src_dst_count{$count}";
}
foreach $net (keys %total_net) {
$count = $total_net{$net};
$c_count = &commas($count);
$total_net_count{$count} .= "$c_count $net\n";
}
# print "\n\ntotal byte count by net\n\n";
#
# foreach $count (sort numerically (keys %total_net_count)) {
# print "$total_net_count{$count}";
# }
#
# foreach $net (keys %total_machine) {
# $count = $total_machine{$net};
# $c_count = &commas($count);
# $total_machine_count{$count} .= "$c_count $net\n";
# }
#
# print "\n\ntotal byte count by machine\n\n";
#
# foreach $count (sort numerically (keys %total_machine_count)) {
# print "$total_machine_count{$count}";
# }
#
# foreach $net (keys %source_net) {
# $count = $source_net{$net};
# $c_count = &commas($count);
# $source_net_count{$count} .= "$c_count $net\n";
# }
#
# print "\n\nSource byte count by net\n\n";
#
# foreach $count (sort numerically (keys %source_net_count)) {
# print "$source_net_count{$count}";
# }
#
# foreach $net (keys %dest_net) {
# $count = $dest_net{$net};
# $c_count = &commas($count);
# $dest_net_count{$count} .= "$c_count $net\n";
# }
#
# print "\n\nDestination byte count by net\n\n";
#
# foreach $count (sort numerically (keys %dest_net_count)) {
# print "$dest_net_count{$count}";
# }
#
# foreach $machine (keys %source_machine) {
# $count = $source_machine{$machine};
# $c_count = &commas($count);
# $source_machine_count{$count} .= "$c_count $machine\n";
# }
#
# print "\n\nSource byte count by machine\n\n";
#
# foreach $count (sort numerically (keys %source_machine_count)) {
# print "$source_machine_count{$count}";
# }
#
# foreach $net (keys %dest_machine) {
# $count = $dest_machine{$net};
# $c_count = &commas($count);
# $dest_machine_count{$count} .= "$c_count $net\n";
# }
#
# print "\n\nDest byte count by machine\n\n";
#
# foreach $count (sort numerically (keys %dest_machine_count)) {
# print "$dest_machine_count{$count}";
# }
sub numerically {$b <=> $a;}
sub commas {
local($_) = @_;
1 while s/(.*\d)(\d\d\d)/$1,$2/;
$_;
}
More information about the argus
mailing list