[ARGUS] Get active connections

StoneBeat stonebeat at ya.com
Mon Jun 28 07:03:53 EDT 2004


Yes Andrew is in the correct way, i want to see connections from / to all the 
boxes.

Now, Im trying :

ra -r /var/log/argus.out -t -1m  -n - proto 6 | grep -i con | wc -l

to see TCP active connections. I have two issues:

1)Im watching a Gigabit network with so much traffic and sometimes i wait more 
than 30 minutes to complete the command
2)Im not sure if the number of connections reported by this command is really 
trusted


El Lunes 28 Junio 2004 05:48, escribiste:
> On Mon, Jun 28, 2004 at 08:43:11AM +1000, Steve McInerney wrote:
> > It might be easier to repeatedly poll netstat with an appropriate egrep
> > to filter the traffic you wish to see?
> >
> >
> > This is one I use as a Q&D on Solaris fairly regulary:
> > netstat -an | egrep "^[^ ]+\.80.+ESTAB"
> >
> > then pipe thru "wc -l" to count. Compare with "$ALARM_LIMIT" and you're
> > away.
> > Where "80" is the port number to watch.
> >
> >
> > Perhaps it might help to further define the problem set? Are you after
> > real time or post analysis? The above is for near to real time.
> >
> >
> > HTH?
>
> That's only going to help if he wants to see the connections on the box
> itself.
>
> If he's got an Argus probe in the middle of two (or more) boxes, and he
> wants to see all the active connections, he's going to want to do something
> with Argus to see how many connections Argus is keeping track of.
>
> I wonder if ratop is the weapon of choice?
>
> Andrew



More information about the argus mailing list