Racount question

Carter Bullard carter at qosient.com
Fri Sep 26 19:04:19 EDT 2003 

Hey Geoff,
   One thing to consider is that by asking for net x.y.z.w/mask
you are implicitly filtering for just ip traffic.  Does:

   racount -r external.out - ip

return the same counts?  Use ramon() to give you in and out
counts for addresses, ports whatever.

Carter




> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of
> Geoff Powell
> Sent: Thursday, September 25, 2003 3:49 AM
> To: argus-info at lists.andrew.cmu.edu
> Subject: Racount question
>
>
>
> Hello everyone,
>
> I'm trying to use the racount Argus utility to get traffic
> usage for data
> passing through a Linux gateway to the Internet to/from a LAN. I have
> argus data files for the Internal eth interface (in my
> example internal.out)
> and also the External eth interface (external.out)
>
> If my internal network is 192.168.135.0/24, the gateway's ip
> address is
> 192.168.135.5 and the external Internet ip address of the gateway is
> 198.198.198.198:
>
> # racount -r external.out - net 198.198.198.198/32
> racount    records       total_pkts         src_pkts
> dst_pkts
> total_bytes        src_bytes        dst_bytes
>     sum       5348           466191            88328
>  377863
> 72556371         28750397         43805974
>
> # racount -r external.out - net 192.168.135.0/24
> racount    records       total_pkts         src_pkts
> dst_pkts
> total_bytes        src_bytes        dst_bytes
>     sum       1819           499867           499867
>       0
> 32676555         32676555                0
>
> # racount -r external.out
> racount    records       total_pkts         src_pkts
> dst_pkts
> total_bytes        src_bytes        dst_bytes
>     sum       7490           966484           588195
>  378289
> 105257690         61426952         43830738
>
> I was expecting the filter on 198.198.198.198 to return all
> data because
> that is the ip address of the interface. However I have
> learnt that if
> someone accesses a computer on the LAN through a port
> forwarding rule or
> NAT, the above commands would not account for the data as the
> dst or src
> ip is not 198.198.198.198 but probably 192.168.135.x.
>
> I know that if I use no filters with racount, I can get the
> total srcbytes
> and dstbytes for the external or internal interface, but I can not
> tell if it is outgoing or incoming - I would use src net and dst net
> filters
>
> Any suggestions or comments?
>
> Thanks in advance
>
> Regards,
> Geoff (geoff at lanrex.net.au)
>
>
>

More information about the argus mailing list