Flows question

Mahlon E. Smith mahlon at martini.nu
Mon Feb 16 13:57:45 EST 2004 

Hello Argus crew!

I'm attempting to convert a rrdtool/ipfm graphing script over to use
just ragator output.  Currently logging input/output data every minute
to an rrdfile per host, and generating the rrd graphs from that.

So, to have this working using ragator instead, I'm starting argus
with -S30, and using this command line...

% ragator -f flowfile -ncS localhost - not arp and not icmp

...this flowfile:

Flow  100 * 192.168.72.0:24 * * * 200 60
Flow  102 * * * * * 300  0
Model 200 0.0.0.0 255.255.255.255 no no no
Model 300 0.0.0.0 0.0.0.0 no no no

...which produces this output:

16 Feb 04 10:31:53 ip 0.0.0.0 <-> 192.168.72.20  98   98   7632  12664   CON
16 Feb 04 10:31:54 ip 0.0.0.0 <-> 192.168.72.3   27   21   2200  2987    CON
16 Feb 04 10:31:54 ip 0.0.0.0 <-> 192.168.72.2   43   34   3493  4852    CON
16 Feb 04 10:31:55 ip 0.0.0.0 <-> 192.168.72.26  85   87   6211  32920   CON
16 Feb 04 10:32:00 ip 0.0.0.0 <-> 192.168.72.60  35   26   8033  2161    CON
16 Feb 04 10:31:54 ip 0.0.0.0 <-> 192.168.72.32  129  115  1417  60688   CON
... etc

Outputting individual host totals at roughly 1 min intervals.
That part is working nicely.

What I'd like to have in addition is a global total per min.  I've
tried quite a few varations of the flows file, and can't quite seem to
get the desired output.  Looking for something like:

16 Feb 04 10:31:54 ip 0.0.0.0 <-> 192.168.72.0  129  115  total_src total_dst   CON
or 
16 Feb 04 10:31:54 ip 0.0.0.0 <-> 0.0.0.0  129  115  total_src total_dst   CON

Tried flow models like such:
Model 201  0.0.0.0 255.255.255.0   no no no

Which does give complete class C totals per min, but doesn't give the
individual totals.  Basiscally, whatever flow comes first does the
match, and the other is never printed.

Is there a way using flows to produce this sort of output?  Or should
I just keep track of the time in the script, keep a running total per
min myself, and quit pulling out my hair trying to make this work? :)

Thanks for any input.

-Mahlon


Mahlon E. Smith                      jabber id: mahlon at chat.martini.nu
http://www.martini.nu/             get pgp key:  mahlon-pgp at martini.nu
......................................................................
        After a number of decimal places, nobody gives a damn.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 155 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20040216/a3831b0a/attachment.sig>

More information about the argus mailing list