racount and src/dst byte counts

Carter Bullard carter at qosient.com
Thu Sep 27 09:21:54 EDT 2001


Hey Desmond,
   You can do everything you want with argus data,
the dialog so far has been with your misinterpreting
the output of some of the tools.

   All ra* programs can handle multiple input files.
Be sure and use a single '-' to delimit the list.  If
you are capturing user data with argus this type of
program:

   ragrep -e "GET" -r *.gz -w - | ramon -M TopN -N 20

works fine.

Carter






> -----Original Message-----
> From: Desmond Irvine [mailto:desmond.irvine at sheridanc.on.ca] 
> Sent: Thursday, September 27, 2001 8:52 AM
> To: carter at qosient.com
> Cc: argus-info at lists.andrew.cmu.edu
> Subject: Re: racount and src/dst byte counts
> 
> 
> I see how I can check for the source and destination host of 
> the flow in
> a number of ways, what I was hoping was that I could get the bytes
> transferred and the direction all in one step from the 
> racount command. 
> I'm trying to check the bandwidth usage by our residence students who
> have a different upload and download bandwidth limits.  I guess since
> argus isn't monitoring packets, I can really only use it to look at
> total bytes consumed easily.  Argus isn't the proper tool if I want a
> src and dst byte count as I really want it on the packet level.  If
> someone were using FTP, for instance, they could ftp from an external
> host to a local one and either GET or PUT a file, but Argus would see
> either transaction as the same since the flow would be initiated from
> the external machine - right?
> 
> One other question, in order to run ramon against multiple argus files
> (each representing different time intervals) and get the top users for
> the entire period that all the files cover do I need to first 
> create one
> file that contains all the files contents using ra/ragator 
> (which would
> be better - ragator)?  Running ramon against all the files 
> using a wild
> card seems to bring up the top ip's by looking at each 
> individual files
> top ip's and then determining which are the top results amongst all of
> those.  Thus an individual ip might show up multiple times where I
> really only want to see one entry which is the cumulative sum of
> activity for an ip over the entire time frame.
> 
> Sorry for such basic concept questions, but I'm really quite 
> a neophyte
> with argus.
> 
> Thanks, Desmond.
> 



More information about the argus mailing list