Me and my usual questions

Andrew Pollock andrew-argus at andrew.net.au
Wed Jun 4 21:40:00 EDT 2003 

Hi,

I'm the never ending purgatory that is my life, I'm trying to make Argus 
produce consistently sensible data, and as usual, failing miserably.

I'm going to go back to square one:

We have a network topology like this:

              LB        LB
               |         |
            +--------------+
            |              |
Argus ------| Switch       |
            |              |
            +--------------+
             | | | | | | | 
             |     |   |
           Client  | Client  
               Client

We have a switch, to which two load balancers are attached (one being 
active at any point in time) and we have our clients connected to the 
switch as well. Argus is running on a server plugged into a port on the 
switch that spans the two ports that the load balancers are plugged into.

Each client has a /24 of their own, with the exception of a couple of 
clients that have a single /32

Today's focus is one of the clients that have just a /32

The way I've been determining how much data has been sent/received to/from 
such a client is:

ramon -w - -M TopN -r argus.log - host 10.11.2.243 | racount

or for one with a /24

ramon -w - -M TopN -M net/24 -r argus.log - net 10.99.9/24 | racount

(hopefully I've got this much correct)

I'm now trying to determine a protocol breakdown of that total and this is
where I can't get the sum of the protocol breakdown to agree with the
output of the above ramon calls.

Both the sum of the output of:

ragator -w - -r argus.log - tcp or udp and host 10.11.2.243 | ragator -f
/usr/local/etc/dport.conf -w - | rasort -M bytes -w - | ra -s dport pkts
bytes

and

ra -r argus.log -w - - host 10.11.2.243 | ramon -M Svc -r -

agree with each other, however they're a bit out (in both directions) with 
the output of the top ramon call.

dport.conf in the above ragator call contains:

Flow    100 ip  *       *       *       *       *       200     0       0
Model   200 ip  0.0.0.0         0.0.0.0         yes     no      yes

I just want to get this to a set and forget point, rather than every month
having to spend days fiddling around with various Argus client calls and
wading through a good 36Gb of logs. I'm after a total per network for a 
month's worth of Argus logs and the ability to break that total down per 
protocol on an ad hoc request basis.

Andrew

More information about the argus mailing list