How Do I Filter The Data so just the totals for each ip are shown?
Carter Bullard
carter at qosient.com
Mon May 13 14:19:29 EDT 2002
Hey Andy,
Hmmmmmmmm, I just downloaded the argus-2.0.5.tar.gz, recompiled and
got this on my linux machine.
ramon TopN Report
Start_Time Duration Flgs Type SrcAddr
SrcPkt Dstpkt SrcBytes DstBytes State
02/05/13 10:07:10.324315 850.858246 I ip 192.168.0.64
1443 1455 213083 705387 CON
02/05/13 10:06:59.618301 880.331126 ip 192.168.0.128
667 665 44184 290004 CON
02/05/13 10:06:59.618301 880.331126 ip 192.168.0.162
661 663 289576 43882 CON
02/05/13 10:15:40.511754 47.029232 d ip 207.68.131.20
258 204 279545 32066 CON
02/05/13 10:14:51.638371 361.094790 d ip 199.45.62.10
277 270 175751 32167 CON
So there must be something going on in your port. Ramon reads a hard
coded configuration file that is of the same format as a ragator()
configuration file. Checkout the definition of RaMonTopNFlowModelFile
to see if it looks like this:
char *RaMonTopNFlowModelFile [] = {
"Flow 100 * * * * * 200 3153600",
"Model 200 255.255.255.255 0.0.0.0 no no no",
NULL,
};
If it does, then I'm not sure what the problem is, but if you can
gdb through RaReadFlowModelFile() while its reading this buffer,
you should be able to figure out what is going on.
Carter
Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York 10022
carter at qosient.com
Phone +1 212 588-9133
Fax +1 212 588-9134
http://qosient.com
> -----Original Message-----
> From: Andy [mailto:andy at quadrant.net]
> Sent: Monday, May 13, 2002 1:42 PM
> To: carter at qosient.com
> Cc: argus-info at lists.andrew.cmu.edu
> Subject: RE: How Do I Filter The Data so just the totals for
> each ip are shown?
>
>
> No I don't think that I am. I compiled the latest from
>
> ftp://qosient.com/dev/argus-2.0/argus-2.0.5.tar.gz
>
> Made it and installed it again just a few seconds ago after applying
> the patches to get it to work on Mac Os X and still the same errors.
> I looked at the creation dates of these executables and they are all
> current.
>
> ramon -h
> Ramon Version 2.0.5
> usage: ramon -M mode [-N num]
> usage: ramon -M mode [-N num] [ra-options] [- filter-expression]
> options: -M <mode> specify the rmon function.
> possible <modes> are:
> TopN, Matrix
> -N <number> specify the top <number> of
> entries to print (all).
> ra-options: -a print record summaries on termination.
> -A print application bytes.
> -b dump packet-matching code.
> -c print packet and byte counts.
> -C treat the remote source as a
> Cisco Netflow source.
> -D <level> specify debug level
> -F <conffile> read configuration from <conffile>.
> -g print record time duration.
> -G print both start and last time values.
> -h print help.
> -I print transaction state and
> option indicators.
> -l print last time values [default
> is start time].
> -n don't convert numbers to names.
> -p <digits> print fractional time with
> <digits> precision.
> -P <portnum> specify remote argus <portnum> (tcp/561).
> -r <file> read argus data <file>. '-' denotes stdin.
> -S <host> specify remote argus <host>.
> -t <timerange> specify <timerange> for reading records.
> format: timeSpecification[-timeSpecification]
> timeSpecification:
> [mm/dd[/yy].]hh[:mm[:ss]]
> mm/dd[/yy]
> -T <secs> attach to remote server for T seconds.
> -u print time in Unix time format.
> -w <file> write output to <file>. '-'
> denotes stdout.
> andyscomputer:/var/log/argus% ramon -r argus.out -M topn
> ramon: RaCreatePolicyEntry: format error
> andyscomputer:/var/log/argus% ramon -r argus.out -M TopN
> ramon: RaCreatePolicyEntry: format error
>
>
> All of the other utilities are working fine and reading the data file
> perfectly.
>
> Andy
>
>
>
>
> >Your running old code.
> >
> > > -----Original Message-----
> >> From: owner-argus-info at lists.andrew.cmu.edu
> >> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of Andy
> >> Sent: Monday, May 13, 2002 1:12 PM
> > > To: argus-info at lists.andrew.cmu.edu
> >> Subject: RE: How Do I Filter The Data so just the totals for
> > > each ip are shown?
> > >
> >>
> >> I keep getting this error when trying to do the commands
> suggested:
> >>
> >> ramon -M topn -r argus.out -w -
> >> ramon: RaCreatePolicyEntry: format error
> >>
> >>
> >> ramon -M topn -r argus.out
> >> ramon: RaCreatePolicyEntry: format error
> >>
> >> What is happening?
> >>
> >> Does this have anything to do with function
> RaParseCIDRAddr() that
> >> is found in ragator.c, rahistogram.c and ramon.c that is not
> >> standardized?? I found a similar problem in your archives
> that was
> >> occuring on Solaris machines. I have attached a copy at
> the end of
> >> this email for reference.
> >>
> >> BTW the mode 'srv' is not supported.
> >>
> >> Andy
> >>
> >>
> >> --------------
> >>
> >>
> >>
> >> With argus 2.0.0 and 2.0.2.beta.1 on Solaris 8 Intel
> edition, I'm
> >> having problems with ramon.
> >>
> >> bin/ramon -M Matrix -r /local/argus/data
> >> ramon: RaCreatePolicyEntry: format error
> >>
> >> This is related to RaParseCIDRAddr() for the 255.255.255.255
> >> addresses. It is getting into argus_nametoaddr() which is
> returning
> >> 0.
> >> gethostbyname("255.255.255.255") on Linux and FreeBSD
> >> machines are generating a valid return structure, but
> Solaris doesn't.
> >>
> >> #0 RaParseCIDRAddr (str=0x804620f "255.255.255.255") at
> > > ./ramon.c:1681 #1 0x8058d39 in RaParsePolicyEntry (
> >> str=0x8172198 "Model 200 255.255.255.255
> 255.255.255.255
> >>
> >> no no no") at ./ramon.c:1751
> >> #2 0x8059282 in RaCreatePolicyEntry (
> >> str=0x8172198 "Model 200 255.255.255.255
> 255.255.255.255
> >>
> >> no no no") at ./ramon.c:1914
> >> #3 0x805937f in RaReadFlowModelFile (model=0x80875e0) at
> >> ./ramon.c:1961 #4 0x8055d13 in ArgusClientInit () at
> ./ramon.c:120
> >> #5 0x805af49 in main (argc=5, argv=0x8047648) at
> >> ./argus_parse.c:505
> >>
> >> Dropping the RaParseCIDRAddr() that is found in
> clients/ragator.c
> >> into clients/ramon.c gets through the
> >> RaCreatePolicyEntry() routine and generates output that seems
> >> reasonable.
> >> -----------
> >>
> >>
> >>
> >> Hey Michael,
> >> Thanks! Yes, I'll clean up the 2.0.2 stuff so that they are
> >> all using the same routines. The new argus-clients
> package has all
> >> of these routines standardized and consolidated in a
> single library.
> >>
> >> Could you try it out, to see if its doing the right thing?
> >> ftp://qosient.com/dev/argus-2.0/argus-clients-2.0.1.alpha.4.tar.gz
> >>
> >> Carter
> >>
> >> ------------
> >>
> >>
> >>
> >>
> >>
> >> >Hey Andy,
> >> > You don't need to filter argus traffic to do this,
> >> >you just need to use either ragator() or ramon(). From
> >the new
> >> distribution
> > > ftp://qosient.com/dev/argus-2.0/argus-2.0.5.tar.gz
> >> >try:
> >> > ramon -M topn -r argusfile
> >> > ramon -M srv -r argusfile
> >> >
> >> >This should give you some of what you want. Once you try
> these and
> >> find >out what's missing, send mail and we can see how to improve
> >> >ramon() to do what you want.
> >> >
> >> >Carter
> >> >
> >> >Carter Bullard
> >> >QoSient, LLC
> >> >300 E. 56th Street, Suite 18K
> >> >New York, New York 10022
> >> >
> >> >carter at qosient.com
> >> >Phone +1 212 588-9133
> >> >Fax +1 212 588-9134
> >> >http://qosient.com
> >> >
> >> >
> >> >
> >> >> -----Original Message-----
> >> >> From: owner-argus-info at lists.andrew.cmu.edu
> >> >> [mailto:owner-argus-info at lists.andrew.cmu.edu] On
> Behalf Of Andy
> >> >> Sent: Monday, May 13, 2002 12:30 PM
> >> >> To: argus-info at lists.andrew.cmu.edu
> >> >> Subject: How Do I Filter The Data so just the totals
> for each ip
> >> >> are shown?
> >> >>
> >> >>
> >> >> I hope this question is appropriate here.
> >> >>
> >> >>
> >> >> I am new to argus and thus need some help with filtering.
> >> What I
> >> >> want to do is filter out the data from argus so that I can
> >> get each
> >> >> IP's total traffic at any given time. Here is an example
> >> of what I
> >> >> want.
> >> >>
> >> >> IpAddress Protocol IN Traffic (bytes) OUT
> Traffic(bytes)
> >> >> 10.0.0.4 ICMP 4000 2300
> >> >> 207.192.2.4 TCP 1.2Gb 1Gb
> >> >> xx.xx.xx.xx UDP 2Gb 4Gb
> >> >> etc...
> >> >>
> >> >>
> >> >> So for each IP at time Y I would like a summary of the
> >> total amount
> >> >> of traffic in and out for each protocol supported by argus.
> >> >>
> >> >> Is there a simple way of doing this? Currently I am
> >> using trafd for
> >> >> this and parsing the data file, buth this is really
> >> inneficient and
> >> >> thus I would like to be able to do this with argus instead.
> >> >>
> >> >> Thank in advance,
> >> >> Andy
> >> >> --
> >> >>
> >> >>
> >>
> >>
> >> --
> >>
> >>
>
>
> --
>
>
More information about the argus
mailing list