racount and src/dst byte counts

[Carter Bullard]

Hey Desmond,
   Your making it much too complicated.  You can
easily do what you've mentioned with argus and its
simple tools.  I gave you a pretty complicated ragrep
example to give you some ideas of what you can do,
like read multiple compressed files, and pipe its
output to other ra* programs, not to limit your
thinking in any way.

   Because ramon() is specifically designed to supply
you with the basic in and out packet counts that you
are looking for, I would recommend that you work
with ramon() for a while.

   When you filter for specific hosts or exclude a
service or ethernet address, you may not get the
counts you expect.  But if you are concerned
about the accuracy, there are a number of things
you can do to test the numbers you get.

   Like all ra* programs, ramon can write its output
as argus records, so you can pipe the output to
programs like racount().

   ramon -w - -r file - host x.y.z.w | racount

and you can compare the output to the original
file with the same filter applied.

   racount -r file - host x.y.z.w

the total_pkts and total_bytes that you get from ramon
data should be 2x the numbers that you get from racount
alone.  This is because ramon is counting in and out
metrics for each IP address, so you'll be counting
the same packet twice.  The src and dst counts will
not be the same, as the semantics of what is the src
and what is the dst are changed.  But the totals will
be accurate.

With ramon, src_pkts are out_packets or transmitted
packets, dst_pkts are in_packets or the received
packets.  Same holds true for bytes.

The newest version of the argus-client package has
better labels for these fields.  This should be out
in a few weeks.   

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 588-9133
Fax   +1 212 588-9134
http://qosient.com

> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu 
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of 
> Desmond Irvine
> Sent: Thursday, September 27, 2001 10:31 AM
> To: carter at qosient.com
> Cc: argus-info at lists.andrew.cmu.edu
> Subject: Re: racount and src/dst byte counts
> 
> 
> I'm not sure that I can accomplish what I need without a lot of
> manipulation of the data and a understanding of the workings 
> of each and
> every application that is used.  I can see that ragrep would give me
> what I want for FTP, but I want to be able to summarize all the daily
> usage (incoming and outgoing) to the residence students 
> machines.  These
> machines seem to be running every type of peer to peer file sharing
> program that exists and other programs that I can't identify 
> so I'm not
> exactly sure how I can at the end of the day I can say that ip address
> aa.bb.cc.dd got x bytes and sent y bytes.  I would have to know if the
> client was configured to push or pull to be able to evaluate how to
> determine which side of the equation to add what argus labels 
> as src and
> dst bytes wouldn't I?  In the FTP example I would have to 
> look for a GET
> or PUT to know if what was labelled as src and dst should be added to
> the got or sent total for a particular ip right?  If I do an ramon -M
> TopN on all the files for one day and get a column of src and dst byte
> counts how can I interpret them without knowing more about the
> individual flows that caused them.  Am I making things much 
> more complex
> than they are?
> 
> Throwing another question in if ramon -M TopN returns a particular set
> or src and dst packet and byte counts for a particular ip shouldn't
> racount - host <ip> return the same src and dst packet and byte counts
> or at least shouldn't they all arrive at the same total?
> 
> Desmond.
> 
> Carter Bullard wrote:
> > 
> > Hey Desmond,
> >    You can do everything you want with argus data,
> > the dialog so far has been with your misinterpreting
> > the output of some of the tools.
> > 
> >    All ra* programs can handle multiple input files.
> > Be sure and use a single '-' to delimit the list.  If
> > you are capturing user data with argus this type of
> > program:
> > 
> >    ragrep -e "GET" -r *.gz -w - | ramon -M TopN -N 20
> > 
> > works fine.
> > 
> > Carter
> > 
> > > -----Original Message-----
> > > From: Desmond Irvine [mailto:desmond.irvine at sheridanc.on.ca]
> > > Sent: Thursday, September 27, 2001 8:52 AM
> > > To: carter at qosient.com
> > > Cc: argus-info at lists.andrew.cmu.edu
> > > Subject: Re: racount and src/dst byte counts
> > >
> > >
> > > I see how I can check for the source and destination host of
> > > the flow in
> > > a number of ways, what I was hoping was that I could get the bytes
> > > transferred and the direction all in one step from the
> > > racount command.
> > > I'm trying to check the bandwidth usage by our residence 
> students who
> > > have a different upload and download bandwidth limits.  I 
> guess since
> > > argus isn't monitoring packets, I can really only use it 
> to look at
> > > total bytes consumed easily.  Argus isn't the proper tool 
> if I want a
> > > src and dst byte count as I really want it on the packet 
> level.  If
> > > someone were using FTP, for instance, they could ftp from 
> an external
> > > host to a local one and either GET or PUT a file, but 
> Argus would see
> > > either transaction as the same since the flow would be 
> initiated from
> > > the external machine - right?
> > >
> > > One other question, in order to run ramon against 
> multiple argus files
> > > (each representing different time intervals) and get the 
> top users for
> > > the entire period that all the files cover do I need to first
> > > create one
> > > file that contains all the files contents using ra/ragator
> > > (which would
> > > be better - ragator)?  Running ramon against all the files
> > > using a wild
> > > card seems to bring up the top ip's by looking at each
> > > individual files
> > > top ip's and then determining which are the top results 
> amongst all of
> > > those.  Thus an individual ip might show up multiple times where I
> > > really only want to see one entry which is the cumulative sum of
> > > activity for an ip over the entire time frame.
> > >
> > > Sorry for such basic concept questions, but I'm really quite
> > > a neophyte
> > > with argus.
> > >
> > > Thanks, Desmond.
> > >
> 
> -- 
> Desmond Irvine                Security Analyst, Information Technology
> Sheridan College              Phone: 905-845-9430 x2035
> 1430 Trafalgar Road           Fax: 905-815-4011
> Oakville, ON  L6H 2L1         EMail: desmond.irvine at sheridanc.on.ca
>