racount and src/dst byte counts
Desmond Irvine
desmond.irvine at sheridanc.on.ca
Wed Sep 26 14:39:58 EDT 2001
Doing what you suggested I get a file with
these contents:
# ra -ncr ra.out
17 Sep 01 07:29:45 man version=2.0 probeid=3848370891 STA
25 Sep 01 13:59:07 tcp 199.212.cc.dd.32862 -> 142.55.aa.bb.6891 5633 11257 337980 12140166 EST
25 Sep 01 14:00:07 tcp 199.212.cc.dd.32862 -> 142.55.aa.bb.6891 5443 10805 326580 11677486 EST
25 Sep 01 14:01:07 tcp 199.212.cc.dd.32862 -> 142.55.aa.bb.6891 5678 11352 340680 12239504 EST
25 Sep 01 14:02:07 tcp 199.212.cc.dd.32862 -> 142.55.aa.bb.6891 5484 10966 329040 11823396 EST
25 Sep 01 14:03:07 tcp 199.212.cc.dd.32862 -> 142.55.aa.bb.6891 5528 11052 331680 11916104 EST
25 Sep 01 14:04:07 tcp 199.212.cc.dd.32862 -> 142.55.aa.bb.6891 4999 9996 299940 10775688 EST
25 Sep 01 14:05:07 tcp 199.212.cc.dd.32862 -> 142.55.aa.bb.6891 5312 10617 318720 11446150 EST
25 Sep 01 14:06:07 tcp 199.212.cc.dd.32862 -> 142.55.aa.bb.6891 5053 10106 303180 10894268 EST
25 Sep 01 14:07:07 tcp 199.212.cc.dd.32862 -> 142.55.aa.bb.6891 5266 10525 315960 11346974 EST
25 Sep 01 14:08:07 tcp 199.212.cc.dd.32862 -> 142.55.aa.bb.6891 5274 10530 316440 11355436 EST
25 Sep 01 14:09:07 tcp 199.212.cc.dd.32862 -> 142.55.aa.bb.6891 5320 10609 319200 11445718 EST
25 Sep 01 14:10:07 tcp 199.212.cc.dd.32862 -> 142.55.aa.bb.6891 4852 9702 291120 10460804 EST
25 Sep 01 14:11:07 tcp 199.212.cc.dd.32862 -> 142.55.aa.bb.6891 5369 10716 322140 11555944 EST
25 Sep 01 14:12:07 tcp 199.212.cc.dd.32862 -> 142.55.aa.bb.6891 5585 11170 335100 12041260 EST
25 Sep 01 14:13:07 tcp 199.212.cc.dd.32862 -> 142.55.aa.bb.6891 5752 11502 345120 12399156 EST
25 Sep 01 14:14:07 tcp 199.212.cc.dd.32862 -> 142.55.aa.bb.6891 1282 2555 76928 2752462 FIN
Running racount on the two IP's I'm interested in
results in:
# racount -n -r ra.out - host 199.212.cc.dd
racount records total_pkts src_pkts dst_pkts total_bytes src_bytes dst_bytes
sum 16 245290 81830 163460 181180324 4909808 176270516
# racount -n -r ra.out - host 142.55.aa.bb
racount records total_pkts src_pkts dst_pkts total_bytes src_bytes dst_bytes
sum 16 245290 81830 163460 181180324 4909808 176270516
As you can see they're both the same output, shouldn't
racount for one of the hosts (199.212.cc.dd?) produce
this instead?
racount records total_pkts src_pkts dst_pkts total_bytes src_bytes dst_bytes
sum 16 245290 163460 81830 181180324 1762705164 4909808
Carter Bullard wrote:
>
> Hey Desmond,
> So the record is saying that 199.212.cc.dd initiated the
> TCP connection, the "->" is saying that argus saw the SYN
> coming from 199.212.cc.dd and EST is saying that argus is
> sending a status record, the TCP is still open but here is
> an update on the progress of the connection. You should
> get one of these every 60 seconds by default, if the connection
> is still on going.
>
> 199.212.cc.dd is the client and 142.55.aa.bb is the server,
> and 6891 is the service port.
>
> Now none of this will indicate what the load will be.
> Does the service move data to the server or from the server?
> That's up to the protocol and the service that is running.
> >From your mail, I don't know what the situation is with
> racount, as you didn't send its output. A way to test this
> situation and possibly clear up any confusion you may have
> is to filter out just the records that seem puzzling and
> write them to a temporary file. If this particular TCP
> connection is a concern, capture all the records that relate
> to this single TCP connection.
>
> ra -r file -w /tmp/ra.out tcp and src host 199.212.cc.dd \
> and dst host 142.55.aa.bb and src port 32862 and dst port 6891
>
> This should result in a file of records that all relate to
> the single TCP connection that spans a length of time.
>
> print out the contents to make sure it makes sense:
> ra -ncr /tmp/ra.out
>
> If you've got them all, you should see most have an 'EST' at
> the end and a 'FIN' or 'CLO' should be somewhere at the end,
> if you actually captured all the records.
>
> Take this file and run ragator on it:
> ragator -ncr /tmp/ra.out
>
> and compare ragator's output with racount's
> racount -r /tmp/ra.out
>
> They should be the same. Doing this may help you to
> see what is going on with the records.
> If you want labels for the columns, run ra and ragator with
> the "-L 0" option (print only one label at the beginning).
>
> I hope this helps!
> Carter
>
>
>
> > -----Original Message-----
> > From: Desmond Irvine [mailto:desmond.irvine at sheridanc.on.ca]
> > Sent: Wednesday, September 26, 2001 11:46 AM
> > To: carter at qosient.com
> > Cc: argus-info at lists.andrew.cmu.edu
> > Subject: Re: racount and src/dst byte counts
> >
> >
> > How does racount decide which side (src or dst) to add the bytes to?
> > The transaction I was looking at was from what I suspect is some sort
> > of peer to peer file sharing tool. ra listed a bunch of connections
> > of the form:
> >
> > 25 Sep 01 13:59:07 tcp 199.212.cc.dd.32862 ->
> > 142.55.aa.bb.6891 EST
> >
> > >From this I would assume the flow was from the external
> > machine to the
> > local machine so I expected racount for the local machine to show the
> > larger amount of bytes on the dst side and the external
> > machine to show
> > it on the src side. Regardless of what racount considered src and dst
> > I expect only one machine to be considered the dst; racount
> > showing both
> > on the dst side doesn't seem to make sense to me.
> >
--
Desmond Irvine Security Analyst, Information Technology
Sheridan College Phone: 905-845-9430 x2035
1430 Trafalgar Road Fax: 905-815-4011
Oakville, ON L6H 2L1 EMail: desmond.irvine at sheridanc.on.ca
More information about the argus
mailing list