[ARGUS] Question about Traffic Accounting and Argus

Peter Van Epp vanepp at sfu.ca
Fri Apr 23 11:29:22 EDT 2004 

On Fri, Apr 23, 2004 at 12:26:40PM +0200, Rene Heinze wrote:
> Hello,
> 
> I downloaded an installed Argus to a linux based Server.
> The topologie of the network is shown below:
> 
>             Switch                    Switch
> +-------+                +-------+                +-------+     
> |       |     +---+      |       |      +---+     |       |      +---+    
> +       +-----+   +------+       +------+   +-----+       
> +------+   +----- > WWW
> |       |     +---+      |       |      +---+     |       |      +---+    
> +-------+                +-------+                +-------+
> Corporate                 Internal                 External      ISP Access
> Workstation               Firewall                 Firewall      Router
> 
> |---------LAN-------------------||-------------------DMZ--------------------||--------ISP------------------> 
>                    
> 
> My goal is to achive complete traffic accouting and monitoring about the 
> outgoing and incoming traffic between the LAN and the ISP.
> At the end of each week or month I would like to have a report where I 
> can see which host (LAN IP Adress)  used  which amound of traffic. And I 
> would like to be able to split that traffic for each IP into the 
> services used (HTTP, FTP ...). I think that can be achived by reporting 
> what port each host used. I know that some tools use ports they should 
> not (e.g. Mediaplayer can be used to stream with dest. port 80), but  
> for my needs thats ok.
> 

	I have a set of messy and site specific  perl scripts that take 2.0.x 
ra output and generate a report like the one below sorted by traffic volume by 
host and then by traffic volume by source host per port number. You are welcome 
to a copy to hack up if it does what you want. Note as it stands it uses
argus's view of connection direction which isn't necessarily what the wire
sees. Getting the data out of argus archive is currently a manual operation
but I'm poking at Russell's Archive module in watcher to be able to hopefully
get that better automated. It also tends to run out of memory on a busy link
or over a long time interval.

unfiltered.pl argus.out > t

Start time Fri Apr 23  7:59:59 2004 to Fri Apr 23  8:09:45 2004
Total traffic: 761,761,878 total src: 178,172,771 total dst: 583,589,107
        Total TS traffic: 23,507,178
        Total Wireless traffic 716,531
        Total lib pub traffic 23,129
            
142.58.xxx.yy   total traffic: 245,509,994
            220.56.56.88    142.58.xxx.yy     80       2,541,611      60,116,421
          218.164.145.35    142.58.xxx.yy     80       1,100,985      44,518,861
          203.218.28.120    142.58.xxx.yy     80         483,164      18,342,807
           146.29.105.57    142.58.xxx.yy     80         333,041      15,047,891
          211.74.222.248    142.58.xxx.yy     80         258,188      10,204,247
          219.78.202.253    142.58.xxx.yy     80         100,499       3,406,084
          216.232.59.193    142.58.xxx.yy     80          61,850       3,111,743...

           
220.56.56.88    total traffic: 62,658,032
            220.56.56.88    142.58.xxx.yy     80       2,541,611      60,116,421
          
            
142.58.xxx.z    total traffic: 55,546,317
            24.82.28.126     142.58.xxx.z    443         696,166      12,152,418
           142.173.34.64     142.58.xxx.z    443         288,135       4,977,187
            66.183.23.84     142.58.xxx.z    443         117,170       2,707,073
         206.116.212.119     142.58.xxx.z    443          68,737         697,151
            24.84.82.255     142.58.xxx.z    443          28,776         660,401
          64.114.202.253     142.58.xxx.z    443          68,042         499,286
           24.80.159.201     142.58.xxx.z    443          50,907         512,596...

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

More information about the argus mailing list