Breaking down selected traffic

Carter Bullard carter at qosient.com
Thu May 8 20:20:19 EDT 2003 

Hey Steve,
   They are different ICMP types, echo, unreachable, etc...
They probably should be consolidated together, or are they
different ICMP services?

Carter


> -----Original Message-----
> From: Steve McInerney [mailto:spm at healthinsite.gov.au] 
> Sent: Thursday, May 08, 2003 7:25 PM
> To: Carter Bullard
> Cc: argus-info at lists.andrew.cmu.edu
> Subject: Re: Breaking down selected traffic
> 
> 
> Thanks Carter!
> 
> What about the duplicate ICMP's?
> No real biggie, more of a minor concern.
>  From what I can see, they're approaching a magic 64K 
> boundry, outbound. 
> Is that the reason for the roll over there?
> 
> 
> FWIW, and just to be contrary and not use perl, below is a simple awk 
> script to deal with the bigger numbers. Awk as I need to 
> improve my awk 
> skills, my perl ones are fine :-)
> 
> I've been running it with the output from the ra|ramon pipe 
> tee'd to a 
> text file - makes it easier to re-sort quickly.
> 
> awk -f ramon-post.awk ramon-out.txt | sort -rn -k 9
> 
> It is a quick, evil script, and doesn't deal with the "icmp" 
> lines. You 
> have been warned.
> 
> 
> 
> - Steve
> *************
> 
> # ramon-post.awk
> {
>      if ( $5$6 in serv ) {
>          split($0, new)
>          split(serv[$5$6], old)
>          for ( i = 7; i <= 10; i++) old[i] = old[i] + new[i]
>          serv[$5$6] = sprintf("%s %s %s %s %4s 
> %-17s%-9d%-10d%-13.0f%-15.0f", old[1], old[2], old[3], 
> old[4], old[5], 
> old[6], old[7], old[8], old[9], old[10])
>      } else {
>          serv[$5$6] = $0
>      }
> }
> 
> END {
>      for ( i in serv )
>          print serv[i]
> }
> 
> Carter Bullard wrote:
> > Hey Steve,
> >    Argus records have only 32-bit counters, at present,
> > and so if in most operations on native argus data, a
> > counter would rollover, the tools "spit" them out, so
> > to speak.
> > 
> >    So you're getting 2 tcp http records because the first
> > byte count is just about ready to roll over (4294896677).
> > 
> > Writing a simple frontend to ramon in perl can help this
> > situation, as perl does real well with 64bit counters.
> > 
> > Carter
> > 
> > 
> > 
> > 
> >>-----Original Message-----
> >>From: Steve McInerney [mailto:spm at healthinsite.gov.au] 
> >>Sent: Thursday, May 08, 2003 2:19 AM
> >>To: Carter Bullard
> >>Cc: argus-info at lists.andrew.cmu.edu
> >>Subject: Re: Breaking down selected traffic
> >>
> >>
> >>Hi Carter,
> >>
> >>Thanks for this tip - most useful.
> >>
> >>Did get one minor curiosity when I ran it tho, duplicate 
> entries for 
> >>various services like so:
> >>
> >>(Have chopped the date column in the interest's of readability)
> >>
> >>tcp http             7099751  7045491   676059782    4294896677
> >>tcp http             459270   445984    46457198     255631299
> >><snip>
> >>icmp                  1217     0         65362        0
> >><snip>
> >>icmp                  22       0         1540         0
> >>...
> >>
> >>
> >>Any idea as to why?
> >>I'm using argus-clients-2.0.6.beta.40
> >>The command line to generate the above is:
> >>
> >>ra -r argus.out -w - - ether host gw-x:x:x:x:x:x:x and not "( 
> >>src or dst 
> >>net dmz-a.b.c or dst net local-d.e.f )" |  ramon -M svc
> >>
> >>-> traffic leaving our gateway, not destined/from the DMZ 
> or local net
> >>
> >>
> >>Thanks
> >>
> >>
> >>- Steve
> >>
> >>
> >>
> > 
> > 
> > 
> > 
> > 
> 
>

More information about the argus mailing list