Basic Question for argus experts...

Carter Bullard carter at qosient.com
Thu Mar 27 11:44:20 EST 2003 

Hey Réal, 
   Try ramon() using the "-M topn" option.  If you want to
change the sorting algorithm, use the "-s field" option.

If you want a particular subnet, because ramon() actually
modifies the input records to do some interesting stuff,
you should use ra to filter the records.

So top 10 talkers by bytes:

   ramon -M topn -s bytes -r file -N 10

Top ten subnets(class) by pkts:

   ramon -M topn nets -s pkts -r file -N 10

Top ten subnets(cidr 16 bit) by src bytes:

   ramon -M topn nets/16 -s sbytes -r file -N 10

Top ten net (cidr 24) matrix by dst pkts:

   ramon -M matrix nets/24 -s dpkts -r file -N 10


Top ten hosts talking to a specific subnet:

   ra -w - -r file - net 1.2.3 | ramon -M topn -N 10

Top ten DNS hosts:

   ra -w - -r file - port domain | ramon -M topn -N 10


There are literally 1000's of combinations.
I found a bug in ramon() which the new argus-clients
remedies, so be sure and get the latest and greatest.

ftp://qosient.com/dev/argus-2.0

This should get you going, if you need more, just send mail.

Carter


> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu 
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of 
> Real Melancon
> Sent: Thursday, March 27, 2003 8:52 AM
> To: <
> Subject: Basic Question for argus experts...
> 
> 
> Hello List.
> 
> I'm looking for commands to have the following reports:
> 
>   - Top ten users by bytes (Top talkers and Top listeners) 
> for all subnets and 
>      for one specific subnet
> 
>   - Top ten protocols for all subnets and for one specific subnet
> 
> Argus is running on our server (FreeBSD 4.7) without a hitch. 
> I started it
> with  the following command: argus -S 10 -P 561
> 
> It started 3 process on the server, and we're collecting 
> about 100Megs of
> data every day.
> 
> Thanks for helping!
> 
> 
> --------------------------------------------------------------
> ------------------
> Réal Melançon.
> Administrateur Unix/Télécomm.
> Uniboard Canada (http://www.uniboard.com)
> 3080 Boul. Le Carrefour
> Laval (Québec)  H7T 2R5
> Tél./Phone: 450-973-1001 (poste 2252)
> Fax: 450-682-0550
> Courrier électronique/E-mail: real.melancon at uniboard.com
> Support: supportti at uniboard.com
>                itsupport at uniboard.com
> --------------------------------------------------------------
> ------------------
> 
> 
>

More information about the argus mailing list