Just plain confused (WAS RE: confused about racount)

Carter Bullard carter at qosient.com
Fri Aug 2 13:29:49 EDT 2002


Hey Andrew,
Use ramon to give you the data that you want.
If you want to see stats for all the services
(ie dst port based services):

   ramon -r file -M svc

If you want to see all the client server stats
for http traffic:

   ramon -r file -M matrix - dst port 80

or whatever port you are interested in.
if you want to know the in and out packets for
each client to a specific web server:

   ramon -r file -M topn - host server and port 80

ramon provides RMON style stats from argus data, and
it's a good introduction, since most people are expecting
RMON like data.  You will find that you move away from
these stats pretty quick, as there are much more
interesting information, like how many TCP connections
in the last hour, with initiator resets, how many .jpg
files were requested, that kind of thing.

For background info:

Argus data does generate a little confusion at first,
as it is a different way of looking at network traffic.
Argus is a flow monitor, so it reports statistics on
flows.  A flow is the collection of all packets between
two IP addrs, that share the same protocol values and
if the protocols are UDP or TCP, the same port values.
Argus does a little more than this, in that argus tries
to report on network transactions.  A TCP connection,
would be a single network transaction, as an example.
So would a DNS request, an NTP time request, a portmapper
query, etc.....

Network transactions are bi-directional.  You have
packets going from A -> B and from B -> A, and argus
reportes both sets of metrics in the same flow activity
record.  There are a huge number of reasons for this,
and the more you use the data, the more you'll use the
information that you can generate from having both sides
of the conversation in the same record.

As a result, a flow has a source and a destination,
but the source in this case is the initiator of the flow,
and the destination is the target or responder of the flow.
For TCP connection, the source of the connection is the
IP address that sent the SYN packet, since it initiated the
TCP connection.  For DNS requests, the source address in 
first packet observed is the source of the transaction, etc ...


Carter
   




More information about the argus mailing list