Just plain confused (WAS RE: confused about racount)

Andrew Pollock andrew-argus at andrew.net.au
Mon Jul 29 21:06:29 EDT 2002 

Hi,

I think I'm just generally confused about how to use Argus, so I'll just ask
some basic questions instead of building on (possibly incorrect) assumptions.

I want to work out how much inbound traffic is being sent to my webserver. Just
a single IP address. Do I have to munge some ra (or other r tool) output myself,
or can I just get a straight total (this is what I thought racount was for)?

What I was doing was issuing:

racount -r /var/log/argus/argus.log* - dst mywebserver

But the two sets of total bytes had me confused.

If I just run an

ra -r /var/log/argus/argus.log* - dst mywebserver

the "count" part of the output still includes two byte counts, so it's just as
confusing.

I also wanted to do protocol breakdowns, so I could see how much inbound HTTP
traffic I'd received, SSH traffic etc etc.

I figured I'd just add a "dst port 22" to the pcap expression of the r tool that
I end up using.

Sorry for being a bit thick.

Andrew

On 29.07.2002 at 21:35:07, Carter Bullard <carter at qosient.com> wrote:

> Hey Andrew,
>    racount() is more like a wc() program for argus data than
> anything else, so I don't think that it will do anything
> for you.  Depending on the types of counting you're trying
> to do, either ramon() or ragator() should be the primary
> tools you look at.
> 
> I would suggest that you try ramon() first, to
> give you counts on a per IP address basis, using the
> TopN mode, or on a matrix basis, using the Matrix mode.
> As an example, if you want to know the counts of packets
> and bytes sent to and received from a particular sub
> net:
> 
>    ramon -r argus.data -M TopN - net subnet
> 
> If you're interested in all the server/client associations
> for DNS, in order to see what name servers are being
> used, and what clients are using them:
> 
>    ramon -r argus.data -M matrix udp and dst port 53
> 
> ramon() can also give you stats based on service, using
> the Svc mode.  This is simple dst port based counting,
> but it is very useful.
> 
> When its time to do more complex accounting, ragator()
> is the right tool, as it will allow you to aggregate
> records based on any set of flow descriptor criteria.
> 
> If you can't find what you need, send mail to the list.
> Someone may already be doing it, or we all may want to
> figure out a good way to get it done.
> 
> 
> Carter
> 
> Carter Bullard
> QoSient, LLC
> 300 E. 56th Street
> Suite 18K
> New York, New York 10022
> 
> +1 212 588-9133 Phone
> +1 212 588-9134 Fax
> 
> > -----Original Message-----
> > From: owner-argus-info at lists.andrew.cmu.edu 
> > [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of 
> > Andrew Pollock
> > Sent: Monday, July 29, 2002 2:37 AM
> > To: argus-info at lists.andrew.cmu.edu
> > Subject: confused about racount
> > 
> > 
> > Hi,
> > 
> > I'm playing with racount, and I'm not terribly sure how to 
> > interpret the output.
> > 
> > I'm using syntax like:
> > 
> > racount -f /var/log/argus/* -- dst myserver
> > 
> > and
> > 
> > racount -f /var/log/argus/* -- src myserver
> > 
> > to determine how much traffic my server has received and 
> > generated respectively.
> > 
> > Either way, I get a src_bytes and a dst_bytes back. I'm just 
> > wondering what the two values mean and how I should interpret them?
> > 
> > Andrew
> > 
> > 
> 
>

More information about the argus mailing list