Racount question
Carter Bullard
carter at qosient.com
Thu Oct 2 00:17:19 EDT 2003
Hey Geoff,
Hmmmm, a few things. You should be getting labels, if not, try
the '-L 0' option. That should give you at least one label. I set
the RA_PRINT_LABELS variable in my .rarc file to 0, which will cause
it to write out one label as the first record.
ramon() does a lot of wildcarding, and so when you are doing service
accounting using '-M svc', there are no host addresses to filter, as
they have been stripped out. If you want the aggregated output
that '-M svc' provides but you want to filter on fields that are
removed, try a ra() based pre-filter:
ra -r file -w - - host x.y.z.w | ramon -M svc
that will give you the service style counts but on a host basis.
With filters like "net x.y and net y.z" you can get service
matrix counts, which can be very useful.
If on the other hand you want host specific service accounting,
try the '-M hostsvc' mode. Because an address is preserved,
host and port oriented filtering is available.
Hope this helps!!
Carter
> -----Original Message-----
> From: Geoff Powell [mailto:geoff at lanrex.net.au]
> Sent: Friday, September 26, 2003 8:46 PM
> To: carter at qosient.com
> Subject: RE: Racount question
>
>
> G'day Carter, Thanks for replying to my questions.
>
> Ramon looks like the client I require for this particular
> task, however
> I am having a bit of trouble understanding the correct way to use it.
>
> I took an argus data file from a Linux gateway:
>
> # ramon -M svc -r internal.out
>
> I understand that with no filters the ramon will show
> incoming/outgoing
> counts for all services on any host as seen by this interface. This
> makes sense to me. A snippet:
>
> 03-09-25 tcp http 1708408 1815809 323162316 1837812816
> 03-09-25 tcp smtp 313554 270992 319065173 18037870
> 03-09-25 icmp 395661 74176 41712264 7809308
> 03-09-25 udp domain 224852 158857 18673200 29752803
> 03-09-25 gre 133705 133399 27222606 43854424
> 03-09-25 tcp pop3 105709 136820 6574072 62660048
> 03-09-25 icmp 241682 0 31799874 0
> 03-09-26 tcp 3389 60591 58809 7961429 20072312
> 03-09-25 tcp https 49499 31355 7588613 21249379
> 03-09-26 tcp ssh 27419 46602 1775125 65338877
> 03-09-25 udp hsrp 46725 0 2890748 0
> 03-09-25 llc null 43062 0 2583720 0
> 03-09-26 tcp telnet 17754 15485 1080672 4102240
>
> So, if ramon supports ra filters, I should be able to use the
> following
> command to find data traffic counts for just host a.b.c.d?
>
> # ramon -M svc -r internal.out - host a.b.c.d
>
> However this command gave me no output, I was just returned
> to my shell
> prompt. I also tried other hosts that I am certain have httpd service
> usage - they returned no output.
>
> I tried searching for just port 80 traffic, which worked a treat
>
> # ramon -M svc -r internal.out - port 80
> 03-09-25 tcp http 1708408 1815809 323162316
> 1837812816
> 03-09-26 udp http 2 0 2162 0
>
> What am I doing wrong?
>
> One other question.. the RAMON2 style reports, what are the fields?
>
> 03-09-25 tcp http 1708408 1815809 323162316
> 1837812816
>
> Obviously 03-09-25 is date, tcp is the ip proto, http is the
> /etc/protocols value for the service, how about the last 4?
>
> Thanks a lot, I really appreciate your time.
>
> Regards,
> Geoff
>
> > -----Original Message-----
> > From: Carter Bullard [mailto:carter at qosient.com]
> > Sent: Saturday, September 27, 2003 9:04 AM
> > To: 'Geoff Powell'; argus-info at lists.andrew.cmu.edu
> > Subject: RE: Racount question
> >
> > Hey Geoff,
> > One thing to consider is that by asking for net x.y.z.w/mask
> > you are implicitly filtering for just ip traffic. Does:
> >
> > racount -r external.out - ip
> >
> > return the same counts? Use ramon() to give you in and out
> > counts for addresses, ports whatever.
> >
> > Carter
> >
> >
> >
> >
> > > -----Original Message-----
> > > From: owner-argus-info at lists.andrew.cmu.edu
> > > [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of
> > > Geoff Powell
> > > Sent: Thursday, September 25, 2003 3:49 AM
> > > To: argus-info at lists.andrew.cmu.edu
> > > Subject: Racount question
> > >
> > >
> > >
> > > Hello everyone,
> > >
> > > I'm trying to use the racount Argus utility to get traffic
> > > usage for data
> > > passing through a Linux gateway to the Internet to/from a LAN. I
> have
> > > argus data files for the Internal eth interface (in my
> > > example internal.out)
> > > and also the External eth interface (external.out)
> > >
> > > If my internal network is 192.168.135.0/24, the gateway's ip
> > > address is
> > > 192.168.135.5 and the external Internet ip address of the
> gateway is
> > > 198.198.198.198:
> > >
> > > # racount -r external.out - net 198.198.198.198/32
> > > racount records total_pkts src_pkts
> > > dst_pkts
> > > total_bytes src_bytes dst_bytes
> > > sum 5348 466191 88328
> > > 377863
> > > 72556371 28750397 43805974
> > >
> > > # racount -r external.out - net 192.168.135.0/24
> > > racount records total_pkts src_pkts
> > > dst_pkts
> > > total_bytes src_bytes dst_bytes
> > > sum 1819 499867 499867
> > > 0
> > > 32676555 32676555 0
> > >
> > > # racount -r external.out
> > > racount records total_pkts src_pkts
> > > dst_pkts
> > > total_bytes src_bytes dst_bytes
> > > sum 7490 966484 588195
> > > 378289
> > > 105257690 61426952 43830738
> > >
> > > I was expecting the filter on 198.198.198.198 to return all
> > > data because
> > > that is the ip address of the interface. However I have
> > > learnt that if
> > > someone accesses a computer on the LAN through a port
> > > forwarding rule or
> > > NAT, the above commands would not account for the data as the
> > > dst or src
> > > ip is not 198.198.198.198 but probably 192.168.135.x.
> > >
> > > I know that if I use no filters with racount, I can get the
> > > total srcbytes
> > > and dstbytes for the external or internal interface, but I can not
> > > tell if it is outgoing or incoming - I would use src net
> and dst net
> > > filters
> > >
> > > Any suggestions or comments?
> > >
> > > Thanks in advance
> > >
> > > Regards,
> > > Geoff (geoff at lanrex.net.au)
> > >
> > >
> > >
> >
>
>
>
More information about the argus
mailing list