[ARGUS] Question about Traffic Accounting and Argus

Rene Heinze rhe at hup.de
Fri Apr 23 06:26:40 EDT 2004 

Hello,

I downloaded an installed Argus to a linux based Server.
The topologie of the network is shown below:

             Switch                    Switch
+-------+                +-------+                +-------+     
|       |     +---+      |       |      +---+     |       |      +---+    
+       +-----+   +------+       +------+   +-----+       
+------+   +----- > WWW
|       |     +---+      |       |      +---+     |       |      +---+    
+-------+                +-------+                +-------+
Corporate                 Internal                 External      ISP Access
Workstation               Firewall                 Firewall      Router

|---------LAN-------------------||-------------------DMZ--------------------||--------ISP------------------> 
                    

My goal is to achive complete traffic accouting and monitoring about the 
outgoing and incoming traffic between the LAN and the ISP.
At the end of each week or month I would like to have a report where I 
can see which host (LAN IP Adress)  used  which amound of traffic. And I 
would like to be able to split that traffic for each IP into the 
services used (HTTP, FTP ...). I think that can be achived by reporting 
what port each host used. I know that some tools use ports they should 
not (e.g. Mediaplayer can be used to stream with dest. port 80), but  
for my needs thats ok.

I startet Argus with:
argus -d -e 194.77.59.120 -i eth1 -w /tmp/arguslos

194.77.59.120 is the internal IP (LAN IP) from the Internal Firewall. 
And eth1 is the internal NIC from the Internal Firewall.

then I took a look at the log with
ra -r /tmp/arguslos

23 Apr 04 11:24:57    man version=2.0     
probeid=DMZ-BLN-02.loca                         STA
23 Apr 04 11:25:02    tcp    64.12.25.148.aol          <?>      
194.77.59.27.bbn-mmc      TIM
23 Apr 04 11:25:02    tcp    64.12.26.102.aol          <?>      
194.77.59.23.oracle-em1   TIM
23 Apr 04 11:25:02    tcp    194.77.59.32.1118         <?>      
64.12.31.108.aol          TIM

after that I played a bit with statistic funktions
ramon -M TopN -N 25 -r /tmp/arguslos

23 Apr 04 11:24:57     ip    194.77.59.20                 CON
23 Apr 04 11:24:57     ip     google.de                 CON
23 Apr 04 11:25:03     ip    194.77.59.25                 TIM
23 Apr 04 11:29:05     ip    dict.leo.org                 CON
23 Apr 04 11:29:52     ip    194.77.59.72                 TIM

ramon -M Matrix -N 25 -r /tmp/arguslos

23 Apr 04 11:30:12     ip    194.77.59.72              <->      
dict.leo.org              CON
23 Apr 04 11:24:57     ip p508401f0.dip0.              <->      
194.77.59.36              CON

Here I´m stucked. I do not know with what i should continue..

Please Help.

Greetings
René H.

More information about the argus mailing list