How Do I Filter The Data so just the totals for each ip are shown?
Andy
andy at quadrant.net
Mon May 13 16:04:23 EDT 2002
Hi Peter,
The structure is identical to what Carter has described below for the
RaMonTopNFlowModelFile structure.
Before I start messing with gbd have you ever tried 'ramon' on your
Mac Os X client machine? I know that it works on Linux but this is
not really that good of a test for mac os x architecture.
I just tried recompiling on one of my Os X client machines and
received this same error again:
ramon -M topn -r argus.out
ramon: RaCreatePolicyEntry: format error
If it works on your machine then maybe you have something configured
differently, so please tell. Other then that I will be using gdb
(which I am not very familiar with).
Thank you everyone for your help.
Andy
>Hey Andy,
> Hmmmmmmmm, I just downloaded the argus-2.0.5.tar.gz, recompiled and
>got this on my linux machine.
>
>ramon TopN Report
> Start_Time Duration Flgs Type SrcAddr
>SrcPkt Dstpkt SrcBytes DstBytes State
>02/05/13 10:07:10.324315 850.858246 I ip 192.168.0.64
>1443 1455 213083 705387 CON
>02/05/13 10:06:59.618301 880.331126 ip 192.168.0.128
>667 665 44184 290004 CON
>02/05/13 10:06:59.618301 880.331126 ip 192.168.0.162
>661 663 289576 43882 CON
>02/05/13 10:15:40.511754 47.029232 d ip 207.68.131.20
>258 204 279545 32066 CON
>02/05/13 10:14:51.638371 361.094790 d ip 199.45.62.10
>277 270 175751 32167 CON
>
>So there must be something going on in your port. Ramon reads a hard
>coded configuration file that is of the same format as a ragator()
>configuration file. Checkout the definition of RaMonTopNFlowModelFile
>to see if it looks like this:
>
>char *RaMonTopNFlowModelFile [] = {
>"Flow 100 * * * * * 200 3153600",
>"Model 200 255.255.255.255 0.0.0.0 no no no",
>NULL,
>};
>
>If it does, then I'm not sure what the problem is, but if you can
>gdb through RaReadFlowModelFile() while its reading this buffer,
>you should be able to figure out what is going on.
>
>Carter
>
>Carter Bullard
>QoSient, LLC
>300 E. 56th Street, Suite 18K
>New York, New York 10022
>
>carter at qosient.com
>Phone +1 212 588-9133
>Fax +1 212 588-9134
>http://qosient.com
>
>
>
>> -----Original Message-----
>> From: Andy [mailto:andy at quadrant.net]
>> Sent: Monday, May 13, 2002 1:42 PM
>> To: carter at qosient.com
>> Cc: argus-info at lists.andrew.cmu.edu
>> Subject: RE: How Do I Filter The Data so just the totals for
>> each ip are shown?
>>
>>
>> No I don't think that I am. I compiled the latest from
>>
>> ftp://qosient.com/dev/argus-2.0/argus-2.0.5.tar.gz
>>
>> Made it and installed it again just a few seconds ago after applying
>> the patches to get it to work on Mac Os X and still the same errors.
>> I looked at the creation dates of these executables and they are all
>> current.
>>
>> ramon -h
>> Ramon Version 2.0.5
>> usage: ramon -M mode [-N num]
>> usage: ramon -M mode [-N num] [ra-options] [- filter-expression]
>> options: -M <mode> specify the rmon function.
>> possible <modes> are:
>> TopN, Matrix
>> -N <number> specify the top <number> of
>> entries to print (all).
>> ra-options: -a print record summaries on termination.
>> -A print application bytes.
>> -b dump packet-matching code.
>> -c print packet and byte counts.
>> -C treat the remote source as a
>> Cisco Netflow source.
>> -D <level> specify debug level
>> -F <conffile> read configuration from <conffile>.
>> -g print record time duration.
>> -G print both start and last time values.
>> -h print help.
>> -I print transaction state and
> > option indicators.
>> -l print last time values [default
>> is start time].
>> -n don't convert numbers to names.
>> -p <digits> print fractional time with
>> <digits> precision.
>> -P <portnum> specify remote argus <portnum> (tcp/561).
>> -r <file> read argus data <file>. '-' denotes stdin.
>> -S <host> specify remote argus <host>.
>> -t <timerange> specify <timerange> for reading records.
>> format: timeSpecification[-timeSpecification]
>> timeSpecification:
>> [mm/dd[/yy].]hh[:mm[:ss]]
>> mm/dd[/yy]
>> -T <secs> attach to remote server for T seconds.
>> -u print time in Unix time format.
>> -w <file> write output to <file>. '-'
>> denotes stdout.
>> andyscomputer:/var/log/argus% ramon -r argus.out -M topn
>> ramon: RaCreatePolicyEntry: format error
>> andyscomputer:/var/log/argus% ramon -r argus.out -M TopN
>> ramon: RaCreatePolicyEntry: format error
>>
>>
>> All of the other utilities are working fine and reading the data file
>> perfectly.
>>
>> Andy
>>
>>
>>
>>
>> >Your running old code.
>> >
>> > > -----Original Message-----
>> >> From: owner-argus-info at lists.andrew.cmu.edu
>> >> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of Andy
>> >> Sent: Monday, May 13, 2002 1:12 PM
>> > > To: argus-info at lists.andrew.cmu.edu
>> >> Subject: RE: How Do I Filter The Data so just the totals for
>> > > each ip are shown?
>> > >
>> >>
>> >> I keep getting this error when trying to do the commands
>> suggested:
>> >>
>> >> ramon -M topn -r argus.out -w -
>> >> ramon: RaCreatePolicyEntry: format error
>> >>
>> >>
>> >> ramon -M topn -r argus.out
>> >> ramon: RaCreatePolicyEntry: format error
>> >>
>> >> What is happening?
>> >>
>> >> Does this have anything to do with function
>> RaParseCIDRAddr() that
>> >> is found in ragator.c, rahistogram.c and ramon.c that is not
>> >> standardized?? I found a similar problem in your archives
>> that was
>> >> occuring on Solaris machines. I have attached a copy at
>> the end of
>> >> this email for reference.
>> >>
>> >> BTW the mode 'srv' is not supported.
>> >>
>> >> Andy
>> >>
>> >>
>> >> --------------
>> >>
>> >>
>> >>
>> >> With argus 2.0.0 and 2.0.2.beta.1 on Solaris 8 Intel
>> edition, I'm
>> >> having problems with ramon.
>> >>
>> >> bin/ramon -M Matrix -r /local/argus/data
>> >> ramon: RaCreatePolicyEntry: format error
>> >>
>> >> This is related to RaParseCIDRAddr() for the 255.255.255.255
>> >> addresses. It is getting into argus_nametoaddr() which is
>> returning
>> >> 0.
>> >> gethostbyname("255.255.255.255") on Linux and FreeBSD
>> >> machines are generating a valid return structure, but
>> Solaris doesn't.
>> >>
>> >> #0 RaParseCIDRAddr (str=0x804620f "255.255.255.255") at
>> > > ./ramon.c:1681 #1 0x8058d39 in RaParsePolicyEntry (
>> >> str=0x8172198 "Model 200 255.255.255.255
>> 255.255.255.255
>> >>
>> >> no no no") at ./ramon.c:1751
>> >> #2 0x8059282 in RaCreatePolicyEntry (
>> >> str=0x8172198 "Model 200 255.255.255.255
>> 255.255.255.255
>> >>
>> >> no no no") at ./ramon.c:1914
>> >> #3 0x805937f in RaReadFlowModelFile (model=0x80875e0) at
>> >> ./ramon.c:1961 #4 0x8055d13 in ArgusClientInit () at
>> ./ramon.c:120
>> >> #5 0x805af49 in main (argc=5, argv=0x8047648) at
>> >> ./argus_parse.c:505
>> >>
>> >> Dropping the RaParseCIDRAddr() that is found in
>> clients/ragator.c
>> >> into clients/ramon.c gets through the
>> >> RaCreatePolicyEntry() routine and generates output that seems
>> >> reasonable.
>> >> -----------
>> >>
>> >>
>> >>
>> >> Hey Michael,
>> >> Thanks! Yes, I'll clean up the 2.0.2 stuff so that they are
>> >> all using the same routines. The new argus-clients
>> package has all
>> >> of these routines standardized and consolidated in a
>> single library.
>> >>
>> >> Could you try it out, to see if its doing the right thing?
>> >> ftp://qosient.com/dev/argus-2.0/argus-clients-2.0.1.alpha.4.tar.gz
> > >>
>> >> Carter
>> >>
>> >> ------------
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> >Hey Andy,
>> >> > You don't need to filter argus traffic to do this,
>> >> >you just need to use either ragator() or ramon(). From
>> >the new
>> >> distribution
>> > > ftp://qosient.com/dev/argus-2.0/argus-2.0.5.tar.gz
>> >> >try:
>> >> > ramon -M topn -r argusfile
>> >> > ramon -M srv -r argusfile
>> >> >
>> >> >This should give you some of what you want. Once you try
>> these and
>> >> find >out what's missing, send mail and we can see how to improve
>> >> >ramon() to do what you want.
>> >> >
>> >> >Carter
>> >> >
>> >> >Carter Bullard
>> >> >QoSient, LLC
>> >> >300 E. 56th Street, Suite 18K
>> >> >New York, New York 10022
>> >> >
>> >> >carter at qosient.com
>> >> >Phone +1 212 588-9133
>> >> >Fax +1 212 588-9134
>> >> >http://qosient.com
>> >> >
>> >> >
>> >> >
>> >> >> -----Original Message-----
>> >> >> From: owner-argus-info at lists.andrew.cmu.edu
>> >> >> [mailto:owner-argus-info at lists.andrew.cmu.edu] On
>> Behalf Of Andy
>> >> >> Sent: Monday, May 13, 2002 12:30 PM
>> >> >> To: argus-info at lists.andrew.cmu.edu
>> >> >> Subject: How Do I Filter The Data so just the totals
>> for each ip
>> >> >> are shown?
>> >> >>
>> >> >>
>> >> >> I hope this question is appropriate here.
>> >> >>
>> >> >>
>> >> >> I am new to argus and thus need some help with filtering.
>> >> What I
>> >> >> want to do is filter out the data from argus so that I can
>> >> get each
>> >> >> IP's total traffic at any given time. Here is an example
>> >> of what I
>> >> >> want.
>> >> >>
>> >> >> IpAddress Protocol IN Traffic (bytes) OUT
>> Traffic(bytes)
>> >> >> 10.0.0.4 ICMP 4000 2300
>> >> >> 207.192.2.4 TCP 1.2Gb 1Gb
>> >> >> xx.xx.xx.xx UDP 2Gb 4Gb
>> >> >> etc...
>> >> >>
>> >> >>
>> >> >> So for each IP at time Y I would like a summary of the
>> >> total amount
>> >> >> of traffic in and out for each protocol supported by argus.
>> >> >>
>> >> >> Is there a simple way of doing this? Currently I am
>> >> using trafd for
>> >> >> this and parsing the data file, buth this is really
>> >> inneficient and
>> >> >> thus I would like to be able to do this with argus instead.
>> >> >>
>> >> >> Thank in advance,
>> >> >> Andy
>> >> >> --
>> >> >>
>> >> >>
>> >>
>> >>
>> >> --
>> >>
>> >>
>>
>>
>> --
>>
>>
--
More information about the argus
mailing list