Just plain confused (WAS RE: confused about racount)

Peter Van Epp vanepp at sfu.ca
Mon Jul 29 22:58:26 EDT 2002


	Well as I said I can give you an example of "munged" output and we 
will see if Carter says it can be done by ragator for instance. This comes
out of processing 24 hours of argus records (1.8.1 rather than 2.0.5 in this
particular case although most of an equivelent for 2.0.5 exists as well) and 
sorting them by reverse total traffic. This happens to be the campus web server 
(edited):


142.58.200.82   total traffic: 5,949,153,516
          141.210.171.55    142.58.200.82    500           5,152               0

           142.58.200.82   193.251.158.89   6004             838             390
...
                                              22              48               0

                                              25           3,508             510

                                             443          83,084         674,639

                                              80     234,696,927   5,707,451,008

                                            icmp       1,133,632         370,688

	The top line is total traffic both ways (but could be broken out source
dest as easily). After that traffic to non common ports is displayed by
src / dst ip and dst port. Known service ports are aggregated (there are many
thousand IPs behind the port 80 numbers for instance). As you see the bulk of 
the traffic here is web out. I think this is the display you are interested in. 
I suspect something similar could be created by ragator with a suitable 
incantantion (but I had this perl script before ragator existed :-)).

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada


> 
> Hi,
> 
> I think I'm just generally confused about how to use Argus, so I'll just ask
> some basic questions instead of building on (possibly incorrect) assumptions.
> 
> I want to work out how much inbound traffic is being sent to my webserver. Just
> a single IP address. Do I have to munge some ra (or other r tool) output myself,
> or can I just get a straight total (this is what I thought racount was for)?
> 
> What I was doing was issuing:
> 
> racount -r /var/log/argus/argus.log* - dst mywebserver
> 
> But the two sets of total bytes had me confused.
> 
> If I just run an
> 
> ra -r /var/log/argus/argus.log* - dst mywebserver
> 
> the "count" part of the output still includes two byte counts, so it's just as
> confusing.
> 
> I also wanted to do protocol breakdowns, so I could see how much inbound HTTP
> traffic I'd received, SSH traffic etc etc.
> 
> I figured I'd just add a "dst port 22" to the pcap expression of the r tool that
> I end up using.
> 
> Sorry for being a bit thick.
> 
> Andrew
> 
> On 29.07.2002 at 21:35:07, Carter Bullard <carter at qosient.com> wrote:
> 
> > Hey Andrew,
> >    racount() is more like a wc() program for argus data than
> > anything else, so I don't think that it will do anything
> > for you.  Depending on the types of counting you're trying
> > to do, either ramon() or ragator() should be the primary
> > tools you look at.
> > 
> > I would suggest that you try ramon() first, to
> > give you counts on a per IP address basis, using the
> > TopN mode, or on a matrix basis, using the Matrix mode.
> > As an example, if you want to know the counts of packets
> > and bytes sent to and received from a particular sub
> > net:
> > 
> >    ramon -r argus.data -M TopN - net subnet
> > 
> > If you're interested in all the server/client associations
> > for DNS, in order to see what name servers are being
> > used, and what clients are using them:
> > 
> >    ramon -r argus.data -M matrix udp and dst port 53
> > 
> > ramon() can also give you stats based on service, using
> > the Svc mode.  This is simple dst port based counting,
> > but it is very useful.
> > 
> > When its time to do more complex accounting, ragator()
> > is the right tool, as it will allow you to aggregate
> > records based on any set of flow descriptor criteria.
> > 
> > If you can't find what you need, send mail to the list.
> > Someone may already be doing it, or we all may want to
> > figure out a good way to get it done.
> > 
> > 
> > Carter
> > 
> > Carter Bullard
> > QoSient, LLC
> > 300 E. 56th Street
> > Suite 18K
> > New York, New York 10022
> > 
> > +1 212 588-9133 Phone
> > +1 212 588-9134 Fax
> > 
> > > -----Original Message-----
> > > From: owner-argus-info at lists.andrew.cmu.edu 
> > > [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of 
> > > Andrew Pollock
> > > Sent: Monday, July 29, 2002 2:37 AM
> > > To: argus-info at lists.andrew.cmu.edu
> > > Subject: confused about racount
> > > 
> > > 
> > > Hi,
> > > 
> > > I'm playing with racount, and I'm not terribly sure how to 
> > > interpret the output.
> > > 
> > > I'm using syntax like:
> > > 
> > > racount -f /var/log/argus/* -- dst myserver
> > > 
> > > and
> > > 
> > > racount -f /var/log/argus/* -- src myserver
> > > 
> > > to determine how much traffic my server has received and 
> > > generated respectively.
> > > 
> > > Either way, I get a src_bytes and a dst_bytes back. I'm just 
> > > wondering what the two values mean and how I should interpret them?
> > > 
> > > Andrew
> > > 
> > > 
> > 
> > 
> 



More information about the argus mailing list