Breaking down selected traffic

Carter Bullard carter at qosient.com
Fri May 9 11:53:59 EDT 2003 

Hey Andrew,
   A description of what ramon() does may be in order,
as its possible that you will want to use ragator(),
in conjunction with rasort() to get what you want, rather
than ramon().

   Ramon() is a special case of ragator(), that is
designed to provide link oriented statistics, rather
than service/transaction oriented stats.  A service
has a source (client/initiator) and a destination
(server/receiver), where a link has In packets
and Out packets.  These concepts are not at all the
same and so ramon() tries to do the conversion, then
report using classic TopN or Matrix reporting styles
used by RMON, thus the ramon() name.

   So, what does this mean?  It means that ramon()
is doing funky aggregation to report on host oriented
link stats.  Now, what you're doing doesn't need this
type of processing, because argus data is already
service oriented.

   For you, aggregating, sorting and then printing the
appropriate columns would generate the same data.  First
you will want to "correct" any flow identifier issues
that may exist in the data with a default pass of ragator().
Then you will want to aggregate the corrected data by
blowing away all flow identifiers except the protocol (tcp/udp)
and the dport.  The you will want to sort the output using
your metric of interest, and finally you'll want to print the
fields of interest, and get the column labels.
    
   ragator -w - -r data -w - tcp or udp | ragator -f dport.conf -w - | \
      rasort -M bytes -w - | ra -s dport pkts bytes

where "dport.conf" is simply:

   Flow  100 ip     *        *     *    *   *    200  0  0
   Model 200 ip  0.0.0.0  0.0.0.0  yes  no  yes


Now if you want to break it down to a better granularity,
such as dst net number, you make the changes to the
ragator() configuration file, and change the call to ra()
to print out the fields you want.  This way you can
guarantee that you'll get the correct values.


Carter




> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu 
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of 
> Andrew Pollock
> Sent: Thursday, May 08, 2003 9:57 PM
> To: Carter Bullard
> Cc: argus-info at lists.andrew.cmu.edu
> Subject: Re: Breaking down selected traffic
> 
> 
> On Mon, May 05, 2003 at 09:29:00AM -0400, Carter Bullard wrote:
> > Hey Andrew,
> >    All things are possible, but we may have to make a
> > slight change.  The problem is that your filter is
> > being applied to the input as well as the output, and
> > you are filtering out the results.
> > 
> >    This is done because of the way that ramon works,
> > and is somewhat unavoidable for most uses of ramon.
> > If you were to do this:
> > 
> >    ra -r argus.log -w - - net x.y.z/24 | ramon -M svc net/24
> 
> I get results, yes, but I'm not sure they're the ones I'm after.
> 
> I produce a total figure by going
> 
> ramon -w - -M TopN -M Net/24 -r argus.log - net x.y.z/24 | racount
> 
> I want to break that total down to say what it's composed of, so I go
> 
> ra -r argus.log -w - - net x.y.z/24 | ramon -M svc -M net/24
> 
> If I then go and total up the in and outs from the above command, it 
> doesn't match the totals from the top command.
> 
> Andrew
>

More information about the argus mailing list