ramon, ragator, flows and networks.
Peter Van Epp
vanepp at sfu.ca
Fri May 4 14:25:34 EDT 2001
It can be done with perl running off ra output. Although I'm currently
only using nets to identify scans rather than traffic (which I do by IP address)
the network (assuming class C subnet sizes) is broken off and it wouldn't be
a problem to sort traffic by subnet.
For instance this report (traffic and traffic by port) could be
modified to be traffic by destination subnet easily:
142.58.101.24 total traffic: 328,174,671
142.58.101.24 192.75.241.11 2049 0 0
142.58.101.24 192.75.241.3 2049 0 0
142.58.101.24 192.75.241.53 49153 0 0
142.58.101.24 192.75.241.7 1524 0 0
142.58.101.24 192.75.241.75 49257 0 0
so this would become a single line of
142.58.101.24 192.75.241 0 0
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
>
> Hi,
>
> I have an interest in figuring out, per subnet, the top "talkers" to
> other subnets. In order to do some network provisioning, we're looking
> to find the most active (in terms of traffic sent/received) networks
> that are talking to certain specific subnets of ours.
>
> Is this something that argus can do? It seems like the rough plumbing
> for it is definitely there, and in the case of ragator perhaps that's
> the exact tool I need, but I'm not sure how to best go about creating a
> flow model that generates the type of data I'm looking for.
>
> My goal is to have a breakdown so that I get something similar to ramon
> output, as so:
>
> 988847907 ip 192.168.15.0/24 0 3689339 0 221692479 INT
> 988847926 ip 192.168.37.0/24 94475 0 101755360 0 INT
> 988847926 ip 10.20.10.0/24 0 94444 0 101753470 INT
>
> With each of those addresses being networks sending or receiving data to
> certain target networks of ours.
>
> Any hints would be appreciated!
>
> Scott
>
>
More information about the argus
mailing list