Just plain confused (WAS RE: confused about racount)
Russell Fulton
r.fulton at auckland.ac.nz
Mon Jul 29 23:04:32 EDT 2002
On Tue, 2002-07-30 at 13:06, Andrew Pollock wrote:
> Hi,
>
> I think I'm just generally confused about how to use Argus, so I'll just ask
> some basic questions instead of building on (possibly incorrect) assumptions.
>
> I want to work out how much inbound traffic is being sent to my webserver. Just
> a single IP address. Do I have to munge some ra (or other r tool) output myself,
> or can I just get a straight total (this is what I thought racount was for)?
>
> What I was doing was issuing:
>
> racount -r /var/log/argus/argus.log* - dst mywebserver
This selects *flows* where the destination address is your webserver.
Argus deals in whole (bidirectional) flows which have two directional
components so this is where the two counts come from. I think this is
where your confusion lies -- scr does not select traffic to your
webserver, it selects flows where the web server is the destination.
>
> But the two sets of total bytes had me confused.
total_bytes src_bytes dst_bytes
I.e. total bytes in both directions
bytes from the source -- This is the one you want (urls etc)
bytes from the destination (data from the server)
>
> If I just run an
>
> ra -r /var/log/argus/argus.log* - dst mywebserver
>
> the "count" part of the output still includes two byte counts, so it's just as
> confusing.
The meaning is the same.
>
> I also wanted to do protocol breakdowns, so I could see how much inbound HTTP
> traffic I'd received, SSH traffic etc etc.
>
> I figured I'd just add a "dst port 22" to the pcap expression of the r tool that
> I end up using.
Yep that will work.
using ragator and ramon you can slice and dice the data many way in one
go and saves doing many passed with racount.
--
Russell Fulton, Computer and Network Security Officer
The University of Auckland, New Zealand
'It aint necessarily so' - Gershwin
More information about the argus
mailing list