confused about racount

Carter Bullard carter at qosient.com
Mon Jul 29 07:31:48 EDT 2002 

Hey Andrew,
   racount() is more like a wc() program for argus data than
anything else, so I don't think that it will do anything
for you.  Depending on the types of counting you're trying
to do, either ramon() or ragator() should be the primary
tools you look at.

I would suggest that you try ramon() first, to
give you counts on a per IP address basis, using the
TopN mode, or on a matrix basis, using the Matrix mode.
As an example, if you want to know the counts of packets
and bytes sent to and received from a particular sub
net:

   ramon -r argus.data -M TopN - net subnet

If you're interested in all the server/client associations
for DNS, in order to see what name servers are being
used, and what clients are using them:

   ramon -r argus.data -M matrix udp and dst port 53

ramon() can also give you stats based on service, using
the Svc mode.  This is simple dst port based counting,
but it is very useful.

When its time to do more complex accounting, ragator()
is the right tool, as it will allow you to aggregate
records based on any set of flow descriptor criteria.

If you can't find what you need, send mail to the list.
Someone may already be doing it, or we all may want to
figure out a good way to get it done.


Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street
Suite 18K
New York, New York 10022

+1 212 588-9133 Phone
+1 212 588-9134 Fax

> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu 
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of 
> Andrew Pollock
> Sent: Monday, July 29, 2002 2:37 AM
> To: argus-info at lists.andrew.cmu.edu
> Subject: confused about racount
> 
> 
> Hi,
> 
> I'm playing with racount, and I'm not terribly sure how to 
> interpret the output.
> 
> I'm using syntax like:
> 
> racount -f /var/log/argus/* -- dst myserver
> 
> and
> 
> racount -f /var/log/argus/* -- src myserver
> 
> to determine how much traffic my server has received and 
> generated respectively.
> 
> Either way, I get a src_bytes and a dst_bytes back. I'm just 
> wondering what the two values mean and how I should interpret them?
> 
> Andrew
> 
>

More information about the argus mailing list