ramon -M HostSvc

Carter Bullard carter at qosient.com
Wed Oct 1 23:49:03 EDT 2003 

Hey Andrew,
   Sorry for the delay, I've been traveling quite a bit, and
now am just back in NYC.  No you should just choose the
HostSvc option.  With this keyword it will set the TopN style
of counting on automatically.  So this is not really too
complicated, the real issue is to get the right ports for the
service part of equation.  You should be working with well
formed bidirectional records, so the ephemeral ports will be
tagged as the source port.   So how does the raw argus data
look?  Do you run it through ragator() first?  That may be
required to get all the records correlated.

   There is a hidden option that may help here as well, the
-V option (validated), which will exclude records
where the service port is not reliable.  Try running your data
through ragator() then use ramon -VM hostsvc to see if the
data doesn't calm down a bit.

Carter




> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of
> Andrew Pollock
> Sent: Sunday, September 28, 2003 11:59 PM
> To: argus-info at lists.andrew.cmu.edu
> Subject: Re: ramon -M HostSvc
>
>
> Hi Carter,
>
> Have you had a chance to think about this at all?
>
> As it turns out, I'm not the only one trying to do this sort of a
> breakdown of information, I've had another user contact me
> privately in
> response to this particular email...
>
> Hope you are well.
>
> regards
>
> Andrew
>
> On Mon, Sep 15, 2003 at 01:34:29PM +1000, Andrew Pollock wrote:
> > Hi Carter,
> >
> > I'm playing with the new -M HostSvc option for ramon, and
> trying to work
> > out how best to use it to provide the breakdown for the
> billing totals I
> > produce with ramon -M TopN...
> >
> > So far, the breakdown I have seems to involve showing only
> the outbound
> > half of the flow, i.e. for a bunch of webservers, I get a
> Dport column
> > that has a whole pile of ephemeral ports for what would
> have been the
> > reply traffic going back to the webservers' clients. As we
> charge for
> > inbound, we're more interested in a breakdown of the
> inbound traffic.
> > Obviously for a webserver, it's mainly going to show how
> much went to port
> > 80 or 443, but this is more what we're after.
> >
> > I'm currently invoking ramon the same way as I do to
> produce the billing
> > total, with an additional -M HostSvc option. Is this
> correct, or should I
> > be substituting the TopN for the HostSvc?
> >
> > regards
> >
> > Andrew
>

More information about the argus mailing list