racount and src/dst byte counts

Desmond Irvine desmond.irvine at sheridanc.on.ca
Thu Sep 27 10:31:00 EDT 2001 

I'm not sure that I can accomplish what I need without a lot of
manipulation of the data and a understanding of the workings of each and
every application that is used.  I can see that ragrep would give me
what I want for FTP, but I want to be able to summarize all the daily
usage (incoming and outgoing) to the residence students machines.  These
machines seem to be running every type of peer to peer file sharing
program that exists and other programs that I can't identify so I'm not
exactly sure how I can at the end of the day I can say that ip address
aa.bb.cc.dd got x bytes and sent y bytes.  I would have to know if the
client was configured to push or pull to be able to evaluate how to
determine which side of the equation to add what argus labels as src and
dst bytes wouldn't I?  In the FTP example I would have to look for a GET
or PUT to know if what was labelled as src and dst should be added to
the got or sent total for a particular ip right?  If I do an ramon -M
TopN on all the files for one day and get a column of src and dst byte
counts how can I interpret them without knowing more about the
individual flows that caused them.  Am I making things much more complex
than they are?

Throwing another question in if ramon -M TopN returns a particular set
or src and dst packet and byte counts for a particular ip shouldn't
racount - host <ip> return the same src and dst packet and byte counts
or at least shouldn't they all arrive at the same total?

Desmond.

Carter Bullard wrote:
> 
> Hey Desmond,
>    You can do everything you want with argus data,
> the dialog so far has been with your misinterpreting
> the output of some of the tools.
> 
>    All ra* programs can handle multiple input files.
> Be sure and use a single '-' to delimit the list.  If
> you are capturing user data with argus this type of
> program:
> 
>    ragrep -e "GET" -r *.gz -w - | ramon -M TopN -N 20
> 
> works fine.
> 
> Carter
> 
> > -----Original Message-----
> > From: Desmond Irvine [mailto:desmond.irvine at sheridanc.on.ca]
> > Sent: Thursday, September 27, 2001 8:52 AM
> > To: carter at qosient.com
> > Cc: argus-info at lists.andrew.cmu.edu
> > Subject: Re: racount and src/dst byte counts
> >
> >
> > I see how I can check for the source and destination host of
> > the flow in
> > a number of ways, what I was hoping was that I could get the bytes
> > transferred and the direction all in one step from the
> > racount command.
> > I'm trying to check the bandwidth usage by our residence students who
> > have a different upload and download bandwidth limits.  I guess since
> > argus isn't monitoring packets, I can really only use it to look at
> > total bytes consumed easily.  Argus isn't the proper tool if I want a
> > src and dst byte count as I really want it on the packet level.  If
> > someone were using FTP, for instance, they could ftp from an external
> > host to a local one and either GET or PUT a file, but Argus would see
> > either transaction as the same since the flow would be initiated from
> > the external machine - right?
> >
> > One other question, in order to run ramon against multiple argus files
> > (each representing different time intervals) and get the top users for
> > the entire period that all the files cover do I need to first
> > create one
> > file that contains all the files contents using ra/ragator
> > (which would
> > be better - ragator)?  Running ramon against all the files
> > using a wild
> > card seems to bring up the top ip's by looking at each
> > individual files
> > top ip's and then determining which are the top results amongst all of
> > those.  Thus an individual ip might show up multiple times where I
> > really only want to see one entry which is the cumulative sum of
> > activity for an ip over the entire time frame.
> >
> > Sorry for such basic concept questions, but I'm really quite
> > a neophyte
> > with argus.
> >
> > Thanks, Desmond.
> >

-- 
Desmond Irvine                Security Analyst, Information Technology
Sheridan College              Phone: 905-845-9430 x2035
1430 Trafalgar Road           Fax: 905-815-4011
Oakville, ON  L6H 2L1         EMail: desmond.irvine at sheridanc.on.ca

More information about the argus mailing list