[ARGUS] Get active connections

Mon Jun 28 11:38:08 EDT 2004

	How often are you cycling the ra log? This command will read (because
it has to) the entire argus.out file to select the last minute of data. One
solution to this would be to swap the log more often (you may also need to 
turn down the reporting intervals with the -S flag to the argus daemon (I 
think Carter didn't recommend less than 5 seconds for that, the default is 
120 seconds as I recall). 
	Another alternative would be to use the -P flag to write the data to a 
socket and use ra on another machine to read the data in real time and alarm 
when required.
	If you are on a gig link you probably want to be doing that last one
anyway because attempting to write to disk on the sensor machine has been 
known to cause packet loss. It is safer to let the sensor write the data to the
socket and then use ra to receive the data on another machine and write it 
to argus.out there (and/or process it real time by reading the socket directly).
As to verifying the output tcpreplay and a test setup is your friend (although
not necessarily easy to achieve). Tcpreplay can play back a tcpdump file 
to the network (an isolated test network if you don't wish to cause extreme
excitement :-)) allowing you to verify that everything gets caught as expected
and possibly to figure out where it is getting lost (because you have lots of
possibilities from the span port through the interface, kernel, bpf and
finally argus :-)) if it isn't accurate. tcpreplay is available on sourceforge.
	A gig capable sniffer and a short capture (because capture buffers on 
gig sniffers aren't that large :-)) is also a possibility. You then compare
what is on the wire to what argus reported (remembering that argus is keeping
some state internally unless you shut it down to flush the buffers). I use a 
Fluke/Shomoti gig pod and Protocol Inspector that I have verified will capture 
at least 1.6 gigs FDX (1.6 because my test setup wouldn't go faster than that 
the pod may be capable of full gig both ways ...).

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

On Mon, Jun 28, 2004 at 01:03:53PM +0200, StoneBeat wrote:
> Yes Andrew is in the correct way, i want to see connections from / to all the 
> boxes.
> 
> Now, Im trying :
> 
> ra -r /var/log/argus.out -t -1m  -n - proto 6 | grep -i con | wc -l
> 
> to see TCP active connections. I have two issues:
> 
> 1)Im watching a Gigabit network with so much traffic and sometimes i wait more 
> than 30 minutes to complete the command
> 2)Im not sure if the number of connections reported by this command is really 
> trusted
> 
> 
> El Lunes 28 Junio 2004 05:48, escribiste:
> > On Mon, Jun 28, 2004 at 08:43:11AM +1000, Steve McInerney wrote:
> > > It might be easier to repeatedly poll netstat with an appropriate egrep
> > > to filter the traffic you wish to see?
> > >
> > >
> > > This is one I use as a Q&D on Solaris fairly regulary:
> > > netstat -an | egrep "^[^ ]+\.80.+ESTAB"
> > >
> > > then pipe thru "wc -l" to count. Compare with "$ALARM_LIMIT" and you're
> > > away.
> > > Where "80" is the port number to watch.
> > >
> > >
> > > Perhaps it might help to further define the problem set? Are you after
> > > real time or post analysis? The above is for near to real time.
> > >
> > >
> > > HTH?
> >
> > That's only going to help if he wants to see the connections on the box
> > itself.
> >
> > If he's got an Argus probe in the middle of two (or more) boxes, and he
> > wants to see all the active connections, he's going to want to do something
> > with Argus to see how many connections Argus is keeping track of.
> >
> > I wonder if ratop is the weapon of choice?
> >
> > Andrew