ramon, ragator, flows and networks.

Carter Bullard carter at qosient.com
Fri May 4 21:39:26 EDT 2001 

Another way would be to run the data through ragator()
first, with a config file that aggregates based on class
C network address, and then run the output to ramon -M topn.

ragator.config:

# match anything use model 200 with a big time.
Flow  100  * * * * *  200 1000000
#
# aggregate based on class C net address but don't
# keep any protocol, or port information.
#
Model 200  255.255.255.0 255.255.255.0  no no no
#


so

ragator -f ragator.conf -r filename -w - | ramon -M topn

That should do it.

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 588-9133
Fax   +1 212 588-9134
http://qosient.com


> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu
> [mailto:owner-argus-info at lists.andrew.cmu.edu]On Behalf Of 
> Peter Van Epp
> Sent: Friday, May 04, 2001 2:26 PM
> To: argus
> Subject: Re: ramon, ragator, flows and networks.
> 
> 
> 	It can be done with perl running off ra output. 
> Although I'm currently
> only using nets to identify scans rather than traffic (which 
> I do by IP address)
> the network (assuming class C subnet sizes) is broken off and 
> it wouldn't be 
> a problem to sort traffic by subnet.
> 	For instance this report (traffic and traffic by port) could be 
> modified to be traffic by destination subnet easily:
> 
> 
> 142.58.101.24   total traffic: 328,174,671
>            142.58.101.24    192.75.241.11   2049              
>  0               0
> 
>            142.58.101.24     192.75.241.3   2049              
>  0               0
> 
>            142.58.101.24    192.75.241.53  49153              
>  0               0
> 
>            142.58.101.24     192.75.241.7   1524              
>  0               0
> 
>            142.58.101.24    192.75.241.75  49257              
>  0               0
> 
> 	so this would become a single line of 
> 
> 	142.58.101.24	   192.75.241				
> 0 	0
> 
> Peter Van Epp / Operations and Technical Support 
> Simon Fraser University, Burnaby, B.C. Canada
> 
> > 
> > Hi,
> > 
> > I have an interest in figuring out, per subnet, the top "talkers" to
> > other subnets.  In order to do some network provisioning, 
> we're looking
> > to find the most active (in terms of traffic sent/received) networks
> > that are talking to certain specific subnets of ours.
> > 
> > Is this something that argus can do?  It seems like the 
> rough plumbing
> > for it is definitely there, and in the case of ragator 
> perhaps that's
> > the exact tool I need, but I'm not sure how to best go 
> about creating a
> > flow model that generates the type of data I'm looking for.
> > 
> > My goal is to have a breakdown so that I get something 
> similar to ramon
> > output, as so:
> > 
> > 988847907     ip 192.168.15.0/24                 0        
> 3689339   0 221692479   INT
> > 988847926     ip 192.168.37.0/24                 94475    0 
> 101755360    0           INT
> > 988847926     ip 10.20.10.0/24                   0        
> 94444     0 101753470   INT
> > 
> > With each of those addresses being networks sending or 
> receiving data to
> > certain target networks of ours.
> > 
> > Any hints would be appreciated!
> > 
> > Scott
> > 
> > 
> 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20010504/cf954731/attachment.html>

More information about the argus mailing list