[ARGUS] RE:
Carter Bullard
carter at qosient.com
Thu May 13 17:11:49 EDT 2004
Hey Glen,
The output of ramon -M topn will give you a list
of IP addresses with metrics. The source metrics are
the pkt and byte counts that were sourced by the address,
i.e. they were transmitted by the host (where the address
is the source of the traffic). The dst metrics, in turn
are the pkt and byte counts that were sent to that
address (where the address is the destination).
It maybe easier to digest if you were to familiarize
yourself with the data that is in argus.out, using
tools like ra(), ragator() and racount(), but that is
just a suggestion.
Carter
-----Original Message-----
From: Glenn MacGregor [mailto:gtm at highstreetnetworks.com]
Sent: Thursday, May 13, 2004 4:35 PM
To: Carter Bullard
Cc: argus-info at lists.andrew.cmu.edu
Subject: Re: [ARGUS] RE:
Carter,
Not sure if it is giving incorrect data, just trying to interpert the
XML data I have. I run the following command:
ramon -M hostsvc -unnnr argus.out -w - | raxml -unnnr - > services.xml
ramon -M matrix -unnnr argus.out -w - | raxml -unnnr - > talkers.xml
ramon -M topn -unnnr argus.out -w - | raxml -unnnr - > hosts.xml
This produces 3 xml files which I process. I want to look at the
hosts.xml for instance and get the host producing the most traffic then
go to the talkers.xml and see who that host is talking to, then go the
services.xml and see what they are talking about. I know this seems like
a lot of work, why not just do it all with the output or ra. I thought
this would produce 3 'tables' which would be much smaller than the 1 ra
'table'.
But anyway when I am looking at the hosts.xml I see source address (no
ports, ro dest address, which is expected). So on a record that has a
source address of 192.168.0.100 what is the source bytes column, bytes
going into the source or leaving the source?
Glenn
Carter Bullard wrote:
> Hey Glen,
> No, even argus will generate only one record for the
> complete bi-directional conversation, assuming that
> it's a pretty normal http request.
>
> 192.168.0.100.35067 -> www.goole.com.80
>
> if you're getting (192.168.55, 80), are you sure
> that this host isn't acting as a web server for someone?
>
> if you think that ramon is giving you erroneous data,
> try to find out if the original argus data doesn't
> explain the output.
>
> use ra to find a record that has this address,port pair
> as a part of the data:
>
> ra -r file - \(src host 192.168.0.100 and src port 80\) or
> \(dst host 192.168.0.100 and dst port 80\)
>
> that should find something if ramon is reporting the address
> and that port as a pair.
>
> Carter
>
>
>
> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of Glenn
MacGregor
> Sent: Thursday, May 13, 2004 6:49 PM
> To: argus-info at lists.andrew.cmu.edu
> Subject:
>
> Hi All,
>
> I am using ramon -M hostsvc to figure out what services are running on my
> network. I thought this would be what I wanted but it seems the info I get
> is
> actually the client ip and destination port. So I see 192.168.0.55 80,
this
> tells me that 192.168.0.55 is going to port 80 somewhere. Is there an
ramon
> (or
> someother ra*) command that will tell me the destination address and
> destination
> port. I want this so I can see all the services in my network, and what
> servers
> provide those services.
>
> Also ragator, I have read the amn page but am still unclear on the
purpose.
> How
> does it merge records? If I hit a website:
>
> SrcIP DstIP SPort DPort
> 192.168.0.100 www.google.com 35067 80
>
> and it responds:
>
> SrcIP DstIP SPort DPort
> www.google.com 192.168.0.100 80(?) 35067
>
> With ra I will see 2 records, correct? Will ragator merge these two
records
> into
> one?
>
> Thanks
>
> Glenn
>
> Glenn MacGregor
> HighStreet Networks
>
> -------------------------------------------------
> This mail sent through IMP: http://horde.org/imp/
>
>
>
More information about the argus
mailing list