racluster and TopN

Carter Bullard carter at qosient.com
Wed Aug 2 11:19:36 EDT 2006 

Hey Joost Bijl,
     Did you send email to the list-owner to find out what happened?
Please do so, as that list is managed by CMU, not by me.

So there is a lot of new support for building TopN types of lists in
argus-3.0.   racluster() is the tool of choice, and to get the stats so
that they refer to individual objects from bi-directional data,  you use
the "-M rmon" option.   The rmon mode causes racluster() to copy and
flip all the records, so that all the bi-directional objects get  
shifted into
the "src" fields of all the records.  By choosing fields with 's' at the
beginning, you'll get the objects you want.   The stats will represent
the correct stats for 'in' and 'out' (thats where the rmon comes from,
IETF rmon likes the concept of in/out).

So if you want to do a topn of, what, ....,IP Addresses?   So, use the
'-M rmon' option and cluster based on the address, so that would be
'saddr'.

    racluster -r file -M rmon -m saddr - ip

If you want the stats for the DiffServ codepoints used by IP address,
try:

    racluster -r file -M rmon -m saddr sdsb - ip

This will give you aggregate stats on the address and the DSBytes
in each records.

Remember, use a filter of "ip"!!!!!!

If you have any problems with this, just holler. And tanks for the  
fix!!!!!

Carter


On Aug 2, 2006, at 3:08 AM, Joost Bijl wrote:

> Hi Carter,
>
> i want to subscribe to the Argus mailing list as described on
> http://www.qosient.com/argus/mailinglists.htm. "To subscribe to the
> Argus Development Mailing list, send an email to
> majordomo at lists.andrew.cmu.edu and make sure the word "subscribe
> argus-info" is in the body of your message."
>
> When sending an email to this list i get the reply pasted below.
>
> Unfortunately it doesn't show up on
> http://thread.gmane.org/gmane.network.argus/ for reading and
> commenting. Can you help me out? Both with the mailing list problem as
> with the problem mentioned below?
>
> with regards,
> Joost Bijl
>
>
>
> You are not allowed to post to this mailing list, and your message has
> been automatically rejected.  If you think that your messages are
> being rejected in error, contact the mailing list owner at
> argus-info-owner at lists.andrew.cmu.edu.
>
> ---------- Forwarded message ----------
> From: "Joost Bijl" <joost.bijl at gmail.com>
> To: argus-info at lists.andrew.cmu.edu
> Date: Tue, 1 Aug 2006 12:32:46 +0200
> Subject: Compile issues on OpenBSD and where is ramon?
> Hi,
>
> to compile Argus on OpenBSD you have to make a minor change to the
> argus_util.c file. The declaration of ether_hostton has to be changed
> from
>
> extern int ether_hostton(const char *, struct ether_addr *);
>
> to
>
> extern int ether_hostton(char *, struct ether_addr *);
>
>
> I have a question regarding ramon. In the 2.0.6 release this was a
> handy tool to quickly view the topN IP-addresses. Is this tool merged
> into racluster and how is this used to display the same information as
> 'ramon -M TopN'?
>
> with regards,
> Joost Bijl
>




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20060802/765cfd59/attachment.html>

More information about the argus mailing list