Argus for IP accounting (and with dynamic IP addresses)

Peter Van Epp vanepp at sfu.ca
Sun Jul 28 22:32:09 EDT 2002 

	I don't know about "better" but there are certainly other ways to do
it :-). One of the things my argus sensor does is provide traffic totals by
IP address (from a perl script which eats ra output) on a monthly basis for
usage charging. On a daily basis it presents the traffic totals (also by 
IP address, although network would be a trivial change) sorted in reverse 
numeric order by traffic. That tends to catch things like people running 
one of the file sharing programs and/or that have been compromised and are 
being used as a warez site (and of course with that, the previous logs will
usually indicate what the compromise was). Its more than possible the new 
clients (such as racount) will do this better. I haven't managed to find time
to poke that far ...
	For dynamic addresses you are going to have to find something out of 
band (such as the DHCP requests) to corrolate the IP with a specific machine
when it changes. I expect perl is going to be easier here than one of the 
r clients though. When I need to do this (on our wireless network for instance)
I manually scan the DHCP logs for the IP address to associate it with a 
user name. If the volume gets up I'd need to automate that by setting a perl
script to eat the DHCP log and spit out start/stop time, IP address and 
account quads to the perl script processing the argus log.


Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada



> 
> Hi,
> 
> I'm evaluating Argus for use at my work for tracking data delivered to various
> network segments.
> 
> I figure I just set it up collecting and then use the racount utility with a
> pcap filter that specifies the destination network and a timeframe? Is there a
> better way to do it? I'm finding the output from ra somewhat overwhelming, so
> I'm not sure if I'm on the right track or not.
> 
> I'm running it at home at the moment to track usage on my ADSL connection, which
> has a dynamic IP address. I'm just wondering how you keep track of things when
> the "local" IP address varies?
> 
> Andrew
>

More information about the argus mailing list