Flowfile newbie: followup

[Carter Bullard]

Hey John,
   Yes you should use ramon().  Something like this should
get you started.  Not sure what you mean by adding the
send and receive totals.  Are you thinking % total?

Carter



[argus at isis argus-clients]$ bin/ramon -ar /tmp/argus.out -M svc -N 10
tcp                                                                 
       StartTime         Type       Dport      InPkt    OutPkt
InBytes      OutBytes    
02/11/05 07:16:13.002249  tcp ssh              6269     5043      521962
1182053
02/11/05 07:00:00.345463  tcp shell            1876     1868      150440
172262
02/11/05 06:59:58.721510  tcp monitor          1831     1831      120846
740666
02/11/05 07:00:37.779416  tcp pop3             1228     1258      73006
86338
02/11/05 07:00:37.763310  tcp 1195             816      626       199352
237640
02/11/05 07:08:41.230525  tcp microsoft-ds     254      209       66163
36262
02/11/05 07:12:08.274859  tcp netbios-ssn      215      195       40788
32743
02/11/05 07:12:03.659487  tcp 1026             89       66        19257
9987
02/11/05 07:13:38.402542  tcp 389              71       52        18811
17536
02/11/05 07:13:38.992201  tcp http             53       43        6297
25755

bin/ramon -ar /tmp/argus.out -M svc -N 10 udp
       StartTime         Type       Dport      InPkt    OutPkt
InBytes      OutBytes    
02/11/05 06:59:58.521670  udp router           123      0         10558
0
02/11/05 07:00:55.516383  udp bootps           37       37        10797
12676
02/11/05 07:00:00.202923  udp domain           31       31        2608
6430
02/11/05 07:01:35.414972  udp ntp              19       19        1850
1850
02/11/05 07:05:34.002293  udp netbios-dgm      33       0         7785
0
02/11/05 07:12:03.756734  udp kerberos         14       15        16395
19696
02/11/05 07:12:40.883265  udp cplscrambler-in  20       0         1000
0
02/11/05 07:12:03.036293  udp netbios-ns       8        8         844
832
02/11/05 07:12:03.529509  udp ldap             4        4         922
868
02/11/05 07:13:38.625100  udp ssdp             3        0         525
0



> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu 
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of 
> John Hermes
> Sent: Tuesday, November 05, 2002 4:42 PM
> To: argus-info at lists.andrew.cmu.edu
> Subject: RE: Flowfile newbie: followup
> 
> 
> Hi Carter,
> 
> Thanks for the tip! I didn't think about ramon.
> 
> My first goal is to generate two lists (for UDP and TCP) of 
> protocols sorted by total bytes (sent + received) and chop 
> off anything beyond the top 10. Sort of a 30,000 ft view of 
> how people are using the T1 these days. Any way to add the 
> send and receive totals in ramon or ragator? I'll add 'em 
> up with a script otherwise. I have a recent 2.0.6 beta 
> client set, FYI.
> 
> Thanks!
> 
> John Hermes
> jhermes at infoglobe.com
> 
> 
> 
> 
> 
> Hey John,
> Your aggregation file is somewhat unique, in that your
> tracking source CIDR addresses against TCP port numbers.
> Not the most popular aggregation scheme ;o)
> 
> Why not try this
>    ramon -r <argusfile> -M svc - tcp
> 
> While it won't give you your source, it will
> give the port breakdown.  If this is similar to
> what your looking for, its pretty easy to construct
> variations with ragator().  Send more mail if this
> is getting closer.
> 
> Regarding your aggregation conf file, this may help as
> well:
> 
> Model 200  tcp  255.255.255.0  0.0.0.0  yes no yes
>                                         ^^^
> The "yes" preserves the protocol.  Even though your
> filtering for just tcp, the port is only meaningful
> in conjunction with the protocol, so its important.
> 
> Carter
> 
>