ragraph/rahistogram
Carter Bullard
carter at qosient.com
Mon Mar 17 18:01:21 EST 2003
Hey Andrew,
rahistogram() is a bit more complicated than your friend
realizes. In the mode that he/she is running it in,
the output is aggregated, so as to give you total bytes,
packets whatever for any given second. With the data
being aggregated, the address, protocol and port fields
will be empty.
What format is your friend expecting?
Carter
> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of
> Andrew Pollock
> Sent: Wednesday, March 12, 2003 5:46 AM
> To: argus-info at lists.andrew.cmu.edu
> Cc: andrewr.hall at aph.gov.au
> Subject: ragraph/rahistogram
>
>
> Hi,
>
> A friend of mine is playing with ragraph and running into
> some problems
> with the output of rahistogram.
>
> He says that the output should contain more than just 0.0.0.0 for IP
> addresses. Here's a sample chunk of what rahistogram (as called by
> ragraph) is spitting out:
>
> rahistogram -p4 -G -r /var/log/argus/argus.log - ip
> 1047414305.0000:*:ip:0.0.0.0::->:0.0.0.0::93:171:7195:252563:CON
> 1047414306.0000:*:ip:0.0.0.0::->:0.0.0.0::266:493:20156:725136:CON
> 1047414307.0000:*:ip:0.0.0.0::->:0.0.0.0::264:490:19860:724584:CON
> 1047414308.0000:*:ip:0.0.0.0::->:0.0.0.0::264:491:19860:724584:CON
> 1047414309.0000:*:ip:0.0.0.0::->:0.0.0.0::267:493:20029:725011:CON
>
> Is there more required (like a specific ra.conf) to get the
> output format
> right?
>
> Andrew
>
More information about the argus
mailing list