FW: [ARGUS] Get active connections

[Carter Bullard]

Andrew is right, ratop() is the example program to try on this
point.  Do this:

   ratop -S probe:port - tcp

and watch the flows number on line 3.  It will tell you
the number of tcp flows.   if you only want "real" connections,
try

   ratop -S probe:port - tcp and con

Carter


-----Original Message-----
From: owner-argus-info at lists.andrew.cmu.edu
[mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of StoneBeat
Sent: Monday, June 28, 2004 7:04 AM
To: argus-info at lists.andrew.cmu.edu
Subject: Re: [ARGUS] Get active connections

Yes Andrew is in the correct way, i want to see connections from / to all
the
boxes.

Now, Im trying :

ra -r /var/log/argus.out -t -1m  -n - proto 6 | grep -i con | wc -l

to see TCP active connections. I have two issues:

1)Im watching a Gigabit network with so much traffic and sometimes i wait
more
than 30 minutes to complete the command
2)Im not sure if the number of connections reported by this command is
really
trusted


El Lunes 28 Junio 2004 05:48, escribiste:
> On Mon, Jun 28, 2004 at 08:43:11AM +1000, Steve McInerney wrote:
> > It might be easier to repeatedly poll netstat with an appropriate egrep
> > to filter the traffic you wish to see?
> >
> >
> > This is one I use as a Q&D on Solaris fairly regulary:
> > netstat -an | egrep "^[^ ]+\.80.+ESTAB"
> >
> > then pipe thru "wc -l" to count. Compare with "$ALARM_LIMIT" and you're
> > away.
> > Where "80" is the port number to watch.
> >
> >
> > Perhaps it might help to further define the problem set? Are you after
> > real time or post analysis? The above is for near to real time.
> >
> >
> > HTH?
>
> That's only going to help if he wants to see the connections on the box
> itself.
>
> If he's got an Argus probe in the middle of two (or more) boxes, and he
> wants to see all the active connections, he's going to want to do
something
> with Argus to see how many connections Argus is keeping track of.
>
> I wonder if ratop is the weapon of choice?
>
> Andrew