Breaking down selected traffic

Steve McInerney spm at healthinsite.gov.au
Thu May 8 19:25:21 EDT 2003 

Thanks Carter!

What about the duplicate ICMP's?
No real biggie, more of a minor concern.
 From what I can see, they're approaching a magic 64K boundry, outbound. 
Is that the reason for the roll over there?


FWIW, and just to be contrary and not use perl, below is a simple awk 
script to deal with the bigger numbers. Awk as I need to improve my awk 
skills, my perl ones are fine :-)

I've been running it with the output from the ra|ramon pipe tee'd to a 
text file - makes it easier to re-sort quickly.

awk -f ramon-post.awk ramon-out.txt | sort -rn -k 9

It is a quick, evil script, and doesn't deal with the "icmp" lines. You 
have been warned.



- Steve
*************

# ramon-post.awk
{
     if ( $5$6 in serv ) {
         split($0, new)
         split(serv[$5$6], old)
         for ( i = 7; i <= 10; i++) old[i] = old[i] + new[i]
         serv[$5$6] = sprintf("%s %s %s %s %4s 
%-17s%-9d%-10d%-13.0f%-15.0f", old[1], old[2], old[3], old[4], old[5], 
old[6], old[7], old[8], old[9], old[10])
     } else {
         serv[$5$6] = $0
     }
}

END {
     for ( i in serv )
         print serv[i]
}

Carter Bullard wrote:
> Hey Steve,
>    Argus records have only 32-bit counters, at present,
> and so if in most operations on native argus data, a
> counter would rollover, the tools "spit" them out, so
> to speak.
> 
>    So you're getting 2 tcp http records because the first
> byte count is just about ready to roll over (4294896677).
> 
> Writing a simple frontend to ramon in perl can help this
> situation, as perl does real well with 64bit counters.
> 
> Carter
> 
> 
> 
> 
>>-----Original Message-----
>>From: Steve McInerney [mailto:spm at healthinsite.gov.au] 
>>Sent: Thursday, May 08, 2003 2:19 AM
>>To: Carter Bullard
>>Cc: argus-info at lists.andrew.cmu.edu
>>Subject: Re: Breaking down selected traffic
>>
>>
>>Hi Carter,
>>
>>Thanks for this tip - most useful.
>>
>>Did get one minor curiosity when I ran it tho, duplicate entries for 
>>various services like so:
>>
>>(Have chopped the date column in the interest's of readability)
>>
>>tcp http             7099751  7045491   676059782    4294896677
>>tcp http             459270   445984    46457198     255631299
>><snip>
>>icmp                  1217     0         65362        0
>><snip>
>>icmp                  22       0         1540         0
>>...
>>
>>
>>Any idea as to why?
>>I'm using argus-clients-2.0.6.beta.40
>>The command line to generate the above is:
>>
>>ra -r argus.out -w - - ether host gw-x:x:x:x:x:x:x and not "( 
>>src or dst 
>>net dmz-a.b.c or dst net local-d.e.f )" |  ramon -M svc
>>
>>-> traffic leaving our gateway, not destined/from the DMZ or local net
>>
>>
>>Thanks
>>
>>
>>- Steve
>>
>>
>>
> 
> 
> 
> 
>

More information about the argus mailing list