How Do I Filter The Data so just the totals for each ip are
Peter Van Epp
vanepp at sfu.ca
Mon May 13 16:40:11 EDT 2002
I just did so (on both FreeBSD and OS X using the same argus.out file)
and I get the same results. FreeBSD works OS X complains about a format error
so it isn't just you. I'll poke at it a bit if I get a chance. Unfortunatly
it looks like FreeBSD's output isn't correct though so I guess more than a
little poking is requried there too.
OS X:
[test4:src/argus-2.0.5/bin] root# ./ramon -r argus.out -M topn
ramon: RaCreatePolicyEntry: format error
[test4:src/argus-2.0.5/bin] root#
FreeBSD:
test6# ./ramon -r argus.out.osx -M topn
13 May 02 13:18:52 ip test4.ucs.sfu.c CON
13 May 02 13:18:52 ip fraser.sfu.ca CON
13 May 02 13:18:48 ip 142.58.1.255 TIM
13 May 02 13:18:47 ip 255.255.255.255 INT
13 May 02 13:18:47 ip sh1045.ucs.sfu. INT
13 May 02 13:18:48 ip snert.ucs.sfu.c INT
13 May 02 13:18:56 ip randytest.ucs.s INT
13 May 02 13:19:03 ip flicker.ucs.sfu TIM
13 May 02 13:18:56 ip 142.58.2.255 TIM
13 May 02 13:18:56 ip crow.ucs.sfu.ca TIM
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
>
> Hi Peter,
>
> The structure is identical to what Carter has described below for the
> RaMonTopNFlowModelFile structure.
>
> Before I start messing with gbd have you ever tried 'ramon' on your
> Mac Os X client machine? I know that it works on Linux but this is
> not really that good of a test for mac os x architecture.
>
> I just tried recompiling on one of my Os X client machines and
> received this same error again:
>
> ramon -M topn -r argus.out
> ramon: RaCreatePolicyEntry: format error
>
> If it works on your machine then maybe you have something configured
> differently, so please tell. Other then that I will be using gdb
> (which I am not very familiar with).
>
>
> Thank you everyone for your help.
>
>
> Andy
>
>
> >Hey Andy,
> > Hmmmmmmmm, I just downloaded the argus-2.0.5.tar.gz, recompiled and
> >got this on my linux machine.
> >
> >ramon TopN Report
> > Start_Time Duration Flgs Type SrcAddr
> >SrcPkt Dstpkt SrcBytes DstBytes State
> >02/05/13 10:07:10.324315 850.858246 I ip 192.168.0.64
> >1443 1455 213083 705387 CON
> >02/05/13 10:06:59.618301 880.331126 ip 192.168.0.128
> >667 665 44184 290004 CON
> >02/05/13 10:06:59.618301 880.331126 ip 192.168.0.162
> >661 663 289576 43882 CON
> >02/05/13 10:15:40.511754 47.029232 d ip 207.68.131.20
> >258 204 279545 32066 CON
> >02/05/13 10:14:51.638371 361.094790 d ip 199.45.62.10
> >277 270 175751 32167 CON
> >
> >So there must be something going on in your port. Ramon reads a hard
> >coded configuration file that is of the same format as a ragator()
> >configuration file. Checkout the definition of RaMonTopNFlowModelFile
> >to see if it looks like this:
> >
> >char *RaMonTopNFlowModelFile [] = {
> >"Flow 100 * * * * * 200 3153600",
> >"Model 200 255.255.255.255 0.0.0.0 no no no",
> >NULL,
> >};
> >
> >If it does, then I'm not sure what the problem is, but if you can
> >gdb through RaReadFlowModelFile() while its reading this buffer,
> >you should be able to figure out what is going on.
> >
> >Carter
> >
> >Carter Bullard
> >QoSient, LLC
> >300 E. 56th Street, Suite 18K
> >New York, New York 10022
> >
> >carter at qosient.com
> >Phone +1 212 588-9133
> >Fax +1 212 588-9134
> >http://qosient.com
> >
> >
> >
> >> -----Original Message-----
> >> From: Andy [mailto:andy at quadrant.net]
> >> Sent: Monday, May 13, 2002 1:42 PM
> >> To: carter at qosient.com
> >> Cc: argus-info at lists.andrew.cmu.edu
> >> Subject: RE: How Do I Filter The Data so just the totals for
> >> each ip are shown?
> >>
> >>
> >> No I don't think that I am. I compiled the latest from
> >>
> >> ftp://qosient.com/dev/argus-2.0/argus-2.0.5.tar.gz
> >>
> >> Made it and installed it again just a few seconds ago after applying
> >> the patches to get it to work on Mac Os X and still the same errors.
> >> I looked at the creation dates of these executables and they are all
> >> current.
> >>
> >> ramon -h
> >> Ramon Version 2.0.5
> >> usage: ramon -M mode [-N num]
> >> usage: ramon -M mode [-N num] [ra-options] [- filter-expression]
> >> options: -M <mode> specify the rmon function.
> >> possible <modes> are:
> >> TopN, Matrix
> >> -N <number> specify the top <number> of
> >> entries to print (all).
> >> ra-options: -a print record summaries on termination.
> >> -A print application bytes.
> >> -b dump packet-matching code.
> >> -c print packet and byte counts.
> >> -C treat the remote source as a
> >> Cisco Netflow source.
> >> -D <level> specify debug level
> >> -F <conffile> read configuration from <conffile>.
> >> -g print record time duration.
> >> -G print both start and last time values.
> >> -h print help.
> >> -I print transaction state and
> > > option indicators.
> >> -l print last time values [default
> >> is start time].
> >> -n don't convert numbers to names.
> >> -p <digits> print fractional time with
> >> <digits> precision.
> >> -P <portnum> specify remote argus <portnum> (tcp/561).
> >> -r <file> read argus data <file>. '-' denotes stdin.
> >> -S <host> specify remote argus <host>.
> >> -t <timerange> specify <timerange> for reading records.
> >> format: timeSpecification[-timeSpecification]
> >> timeSpecification:
> >> [mm/dd[/yy].]hh[:mm[:ss]]
> >> mm/dd[/yy]
> >> -T <secs> attach to remote server for T seconds.
> >> -u print time in Unix time format.
> >> -w <file> write output to <file>. '-'
> >> denotes stdout.
> >> andyscomputer:/var/log/argus% ramon -r argus.out -M topn
> >> ramon: RaCreatePolicyEntry: format error
> >> andyscomputer:/var/log/argus% ramon -r argus.out -M TopN
> >> ramon: RaCreatePolicyEntry: format error
> >>
> >>
> >> All of the other utilities are working fine and reading the data file
> >> perfectly.
> >>
> >> Andy
> >>
> >>
> >>
> >>
> >> >Your running old code.
> >> >
> >> > > -----Original Message-----
> >> >> From: owner-argus-info at lists.andrew.cmu.edu
> >> >> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of Andy
> >> >> Sent: Monday, May 13, 2002 1:12 PM
> >> > > To: argus-info at lists.andrew.cmu.edu
> >> >> Subject: RE: How Do I Filter The Data so just the totals for
> >> > > each ip are shown?
> >> > >
> >> >>
> >> >> I keep getting this error when trying to do the commands
> >> suggested:
> >> >>
> >> >> ramon -M topn -r argus.out -w -
> >> >> ramon: RaCreatePolicyEntry: format error
> >> >>
> >> >>
> >> >> ramon -M topn -r argus.out
> >> >> ramon: RaCreatePolicyEntry: format error
> >> >>
> >> >> What is happening?
> >> >>
> >> >> Does this have anything to do with function
> >> RaParseCIDRAddr() that
> >> >> is found in ragator.c, rahistogram.c and ramon.c that is not
> >> >> standardized?? I found a similar problem in your archives
> >> that was
> >> >> occuring on Solaris machines. I have attached a copy at
> >> the end of
> >> >> this email for reference.
> >> >>
> >> >> BTW the mode 'srv' is not supported.
> >> >>
> >> >> Andy
> >> >>
> >> >>
> >> >> --------------
> >> >>
> >> >>
> >> >>
> >> >> With argus 2.0.0 and 2.0.2.beta.1 on Solaris 8 Intel
> >> edition, I'm
> >> >> having problems with ramon.
> >> >>
> >> >> bin/ramon -M Matrix -r /local/argus/data
> >> >> ramon: RaCreatePolicyEntry: format error
> >> >>
> >> >> This is related to RaParseCIDRAddr() for the 255.255.255.255
> >> >> addresses. It is getting into argus_nametoaddr() which is
> >> returning
> >> >> 0.
> >> >> gethostbyname("255.255.255.255") on Linux and FreeBSD
> >> >> machines are generating a valid return structure, but
> >> Solaris doesn't.
> >> >>
> >> >> #0 RaParseCIDRAddr (str=0x804620f "255.255.255.255") at
> >> > > ./ramon.c:1681 #1 0x8058d39 in RaParsePolicyEntry (
> >> >> str=0x8172198 "Model 200 255.255.255.255
> >> 255.255.255.255
> >> >>
> >> >> no no no") at ./ramon.c:1751
> >> >> #2 0x8059282 in RaCreatePolicyEntry (
> >> >> str=0x8172198 "Model 200 255.255.255.255
> >> 255.255.255.255
> >> >>
> >> >> no no no") at ./ramon.c:1914
> >> >> #3 0x805937f in RaReadFlowModelFile (model=0x80875e0) at
> >> >> ./ramon.c:1961 #4 0x8055d13 in ArgusClientInit () at
> >> ./ramon.c:120
> >> >> #5 0x805af49 in main (argc=5, argv=0x8047648) at
> >> >> ./argus_parse.c:505
> >> >>
> >> >> Dropping the RaParseCIDRAddr() that is found in
> >> clients/ragator.c
> >> >> into clients/ramon.c gets through the
> >> >> RaCreatePolicyEntry() routine and generates output that seems
> >> >> reasonable.
> >> >> -----------
> >> >>
> >> >>
> >> >>
> >> >> Hey Michael,
> >> >> Thanks! Yes, I'll clean up the 2.0.2 stuff so that they are
> >> >> all using the same routines. The new argus-clients
> >> package has all
> >> >> of these routines standardized and consolidated in a
> >> single library.
> >> >>
> >> >> Could you try it out, to see if its doing the right thing?
> >> >> ftp://qosient.com/dev/argus-2.0/argus-clients-2.0.1.alpha.4.tar.gz
> > > >>
> >> >> Carter
> >> >>
> >> >> ------------
> >> >>
> >> >>
> >> >>
> >> >>
> >> >>
> >> >> >Hey Andy,
> >> >> > You don't need to filter argus traffic to do this,
> >> >> >you just need to use either ragator() or ramon(). From
> >> >the new
> >> >> distribution
> >> > > ftp://qosient.com/dev/argus-2.0/argus-2.0.5.tar.gz
> >> >> >try:
> >> >> > ramon -M topn -r argusfile
> >> >> > ramon -M srv -r argusfile
> >> >> >
> >> >> >This should give you some of what you want. Once you try
> >> these and
> >> >> find >out what's missing, send mail and we can see how to improve
> >> >> >ramon() to do what you want.
> >> >> >
> >> >> >Carter
> >> >> >
> >> >> >Carter Bullard
> >> >> >QoSient, LLC
> >> >> >300 E. 56th Street, Suite 18K
> >> >> >New York, New York 10022
> >> >> >
> >> >> >carter at qosient.com
> >> >> >Phone +1 212 588-9133
> >> >> >Fax +1 212 588-9134
> >> >> >http://qosient.com
> >> >> >
> >> >> >
> >> >> >
> >> >> >> -----Original Message-----
> >> >> >> From: owner-argus-info at lists.andrew.cmu.edu
> >> >> >> [mailto:owner-argus-info at lists.andrew.cmu.edu] On
> >> Behalf Of Andy
> >> >> >> Sent: Monday, May 13, 2002 12:30 PM
> >> >> >> To: argus-info at lists.andrew.cmu.edu
> >> >> >> Subject: How Do I Filter The Data so just the totals
> >> for each ip
> >> >> >> are shown?
> >> >> >>
> >> >> >>
> >> >> >> I hope this question is appropriate here.
> >> >> >>
> >> >> >>
> >> >> >> I am new to argus and thus need some help with filtering.
> >> >> What I
> >> >> >> want to do is filter out the data from argus so that I can
> >> >> get each
> >> >> >> IP's total traffic at any given time. Here is an example
> >> >> of what I
> >> >> >> want.
> >> >> >>
> >> >> >> IpAddress Protocol IN Traffic (bytes) OUT
> >> Traffic(bytes)
> >> >> >> 10.0.0.4 ICMP 4000 2300
> >> >> >> 207.192.2.4 TCP 1.2Gb 1Gb
> >> >> >> xx.xx.xx.xx UDP 2Gb 4Gb
> >> >> >> etc...
> >> >> >>
> >> >> >>
> >> >> >> So for each IP at time Y I would like a summary of the
> >> >> total amount
> >> >> >> of traffic in and out for each protocol supported by argus.
> >> >> >>
> >> >> >> Is there a simple way of doing this? Currently I am
> >> >> using trafd for
> >> >> >> this and parsing the data file, buth this is really
> >> >> inneficient and
> >> >> >> thus I would like to be able to do this with argus instead.
> >> >> >>
> >> >> >> Thank in advance,
> >> >> >> Andy
> >> >> >> --
> >> >> >>
> >> >> >>
> >> >>
> >> >>
> >> >> --
> >> >>
> >> >>
> >>
> >>
> >> --
> >>
> >>
>
>
> --
>
More information about the argus
mailing list