[Q] to see the most service port number for the traffic amounts

Carter Bullard carter at qosient.com
Wed Mar 20 09:36:58 EST 2002 

Hey SoYoung,
   ramon() is structured to do just two reports, topn and
matrix, which are the classic rmon stats that you get
from an RMON probe.  Adding new reports is very easy to
do.  I have a ramon.c that will do what you want, using
the "-M Svc" option.  It will be in the argus-2.0.5 release,
(I'll have it in the argus-2.0.5.beta.7.tar.gz that will
 be up next Tues.).

   The program for service oriented stats is rasrvstats(),
which is in the argus-clients distribution.  The 2.0.2.alpha
release that is on the server is quite ancient, and there has
been a lot of work on this in the last 6 months.  I'm going
to post a new distribution in a few weeks, so if these types
of stats are of interest, we should focus on rasrvstats().

Currently rasrvstats() generates output like this:
 
Service: pop3         tcp port 110  
   Server: 206.46.170.10        Trans           Mean (sec)
             192.168.0.64:          6     0.724172  +/- 0.328190
   Server: 216.92.197.167       Trans           Mean (sec)
             192.168.0.64:          6     0.889840  +/- 1.153155
 
Service: http         tcp port 80   
   Server: 205.188.165.121      Trans           Mean (sec)
             192.168.0.64:          2     0.137403  +/- 0.006264
   Server: 205.188.165.57       Trans           Mean (sec)
             192.168.0.64:          1     0.141605  +/- 0.000000
   Server: 64.12.184.25         Trans           Mean (sec)
             192.168.0.64:          2     0.145176  +/- 0.009961
   Server: 216.136.131.245      Trans           Mean (sec)
             192.168.0.64:          2     0.212082  +/- 0.014112
   Server: 152.163.226.153      Trans           Mean (sec)
             192.168.0.64:          2     0.066110  +/- 0.077384
 
Which is a Service/Server/Client sort of view.  The stats currently
reported are just transaction mean, but we can do anything that is
of interest load, rate, bytes, pkts, jitter, loss, etc....

Are you interested in this type of data?


Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 588-9133
Fax   +1 212 588-9134
http://qosient.com

> -----Original Message-----
> From: soyoung at essue.co.kr [mailto:soyoung at essue.co.kr] 
> Sent: Wednesday, March 20, 2002 2:55 AM
> To: carter at qosient.com
> Cc: argus-info at lists.andrew.cmu.edu
> Subject: [Q] to see the most service port number for the 
> traffic amounts
> 
> 
> Hi Carter, I have a question about using ra* client..
> 
> I want to rank the hosts and services(source port number) 
> according to their traffic amounts.
> 
> First, I used the following command to see the top 5 hosts 
> that have sent the most packets:
> 
> ramon -r result.arg -M TopN | rasort -N 5 -s bytes
> 
> It seems to present the appropriate result (as in the FAQ),
> but in case of service port number, how do I use the argus 
> clients to find out the top N port number that have sent the 
> most traffic? (i.e. like the following results - the format 
> is arbitrary)
> 
> port num 80 (http) : 2000 bytes
> port num 25 (smtp) : 1500 bytes
> port num 23 (telnet) : 1000 bytes
> ....
> ....
> 
> I think ramon and rasort commands with an appropriate options 
> would give the results what I want, but not sure how to use them.
> 
> I'm looking for your help..
> 
> Regards,
> SoYoung
> 
> 
>

More information about the argus mailing list