Stats from argus logs

Russell Fulton r.fulton at auckland.ac.nz
Thu Nov 2 15:45:46 EST 2000


On Thu, 2 Nov 2000 11:07:03 EDT "John A. Lauro" <jlauro at umich.edu> 
wrote:

> I had 1.8.1 running for awhile now, and it's been storing logs, and
> even had to go a pull some data to help track down a hacker.  Argus
> does seem to be the best mix of data with small log size.
> 
> Is there an easy way to run statistics from argus logs?  Does anyone
> have any sample scripts, or can recommend a package that works with
> Argus logs?  I need to break out traffic patterns several different
> ways....

Others have such scripts, we use something else here ;-)

> 
> Speaking of network statistics, has anyone looked at NeTraMet?  It

We wrote it ;-) The principle author, Nevil Browlee, is in the office 
next door and I have been chief bug finder and requester of new 
features ;-)

I've been using Netramet on a daily basis for close to 10 years.

> seems to be better suited for collecting statistics for custom
> reports on network traffic (by creating a SRL file for each type of
> report). However, that is assuming you know what reports you need in
> advance, and don't change your mind... and it also is not good for
> just plain loggin unless you have lots of disk space...  If anyone
> knows a way to run a SRL file against an argus log file, that would
> be ideal, or some other way to analyse the data for reports.

Good summary.

We run both argus and Netramet.  We use Netramet for doing accounting 
down to individual IP.  (You could do this fairly efficently now with 
argus-2.0 and ragator (which incorporates many features of Netramet), 
once Carter has done the doc ;-) We also use Netramet for collecting 
traffic rate stats such as distributions of bitrates for flows (based 
on 10 second samples) -- something else that is only sparsely 
documented.

Have a look at http://kaka.itss.auckland.ac.nz:999 the current plots 
(last couple of days) are broken but the ones from earlier in the week 
are OK. 

Netramets strength lie in its ability to do the data reduction on the 
meter thus reducing the amount of data you need to drag back over the 
network.

If I were starting from scratch now building a monitoring system for a 
single network I would probably just go for Argus 2.0 and ragator.

Where Netramet comes into its own is where you want to monitor a 
geographically dispersed network.  At one stage I was part of a team 
that managed the Kawaihiko network (The NZ Universities portion of the 
Internet).  Sites were billed by a complicated system of bandwidth 
measurement based on 5 minute samples taken by meters at each site
(if you are interesed in the details see the article by Nevil and me in 
Aug 2000 issue of IEEE Communications Magazine page 162).  I had meters 
at ever site with ran identical rule sets that defined flows between 
each site which were read by a process on my workstation. 

Netramet is also useful for very high bandwidth conenctions where 
keeping argus style audit records is either unmanagable or unnecessary.
There are several sites running netramet on OC3 (Janet UK) and one at 
OC12 (NASA). Nevil is currently experimenting with OC48 using special 
ATM card.

In summary, it you want the audit logs then go with argus 2.0 otherwise 
use Netramet.

Cheers, Russell



More information about the argus mailing list