Fwd: racluster and TopN

Joost Bijl joost.bijl at gmail.com
Fri Aug 11 10:37:03 EDT 2006 

Hi Carter,

Thanks for the input

the following command seems to produce a list of top IP-addresses:

racluster -n -r /tmp/argus3.out -M rmon -m saddr -w - - ip |  rasort
-m bytes -w -|  ra -N 20 -s saddr bytes
xx.91.214    7737970
xx.91.215    2573808
xx.0.3.46    2485971
xx.129.94    1895992
xx.210.87    1761120
xx.91.211    1230291

if i try this however with the dport field, it doesn't get printed...
am i doing something wrong?

racluster -n -r /tmp/argus3.out -M rmon -m dport -w - - ip |  rasort
-m bytes -w -|  ra -N 20 -s dport bytes
          5012937
          3791984
          2986378
          1761120
          1017725
           827177
           557940
           254517

with regards
Joost


---------- Forwarded message ----------
From: Carter Bullard <carter at qosient.com>
Date: Aug 7, 2006 6:10 PM
Subject: Re: racluster and TopN
To: Joost Bijl <joost.bijl at gmail.com>



Try something like this:
    racluster -M rmon -m saddr -w - - ip | ra -N 20

this will cause racluster to generate the aggregate, and
use ra to pick the first 20 output records.   If you want to sort
on something other than packets,  the put rasort as a part of the
pipe:

   racluster -M rmon -m saddr -w - - ip | rasort -m whatever -w - | ra -N 20

Carter




On Aug 7, 2006, at 11:54 AM, Joost Bijl wrote:

Hi Carter,

i have been playing around with the racluster command. In the old
seutp i use this command:

ra -n -r /var/log/argus/bridge0/archive/2006/08/03/* -w - | ramon -n
-M TopN -N 20

to produce the top 20 users on the archive.

In Argus 3.0 this would probably be something like this:

ra -n -r racluster -r /var/log/argus/bridge0/archive/2006/08/03/* -w -
- ip | racluster -M rmon -w - -s saddr | rasort -m bytes -s saddr
bytes | less

How does argus 3 provide a method to only provide the top-20
IP-addresses? It looks like Argus3 does not handle the 4gb limit which
was present in Argus2? The abovementioned statement does not work for
services (i use dport for this).

Do you think this method mentioned above is correct or not?

with regards,

Joost Bijl
(the Netherlands)





On 8/2/06, Carter Bullard <carter at qosient.com> wrote:

Hey Joost Bijl,
    Did you send email to the list-owner to find out what happened?
Please do so, as that list is managed by CMU, not by me.

So there is a lot of new support for building TopN types of lists in
argus-3.0.   racluster() is the tool of choice, and to get the stats so
that they refer to individual objects from bi-directional data,  you use
the "-M rmon" option.   The rmon mode causes racluster() to copy and
flip all the records, so that all the bi-directional objects get shifted
into
the "src" fields of all the records.  By choosing fields with 's' at the
beginning, you'll get the objects you want.   The stats will represent
the correct stats for 'in' and 'out' (thats where the rmon comes from,
IETF rmon likes the concept of in/out).

So if you want to do a topn of, what, ....,IP Addresses?   So, use the
'-M rmon' option and cluster based on the address, so that would be
'saddr'.

   racluster -r file -M rmon -m saddr - ip

If you want the stats for the DiffServ codepoints used by IP address,
try:

   racluster -r file -M rmon -m saddr sdsb - ip

This will give you aggregate stats on the address and the DSBytes
in each records.

Remember, use a filter of "ip"!!!!!!

If you have any problems with this, just holler. And tanks for the fix!!!!!

Carter



On Aug 2, 2006, at 3:08 AM, Joost Bijl wrote:

Hi Carter,

i want to subscribe to the Argus mailing list as described on
http://www.qosient.com/argus/mailinglists.htm. "To
subscribe to the
Argus Development Mailing list, send an email to
majordomo at lists.andrew.cmu.edu and make sure the word "subscribe
argus-info" is in the body of your message."

When sending an email to this list i get the reply pasted below.

Unfortunately it doesn't show up on
http://thread.gmane.org/gmane.network.argus/ for reading
and
commenting. Can you help me out? Both with the mailing list problem as
with the problem mentioned below?

with regards,
Joost Bijl



You are not allowed to post to this mailing list, and your message has
been automatically rejected.  If you think that your messages are
being rejected in error, contact the mailing list owner at
argus-info-owner at lists.andrew.cmu.edu.

---------- Forwarded message ----------
From: "Joost Bijl" <joost.bijl at gmail.com>
To: argus-info at lists.andrew.cmu.edu
Date: Tue, 1 Aug 2006 12:32:46 +0200
Subject: Compile issues on OpenBSD and where is ramon?
Hi,

to compile Argus on OpenBSD you have to make a minor change to the
argus_util.c file. The declaration of ether_hostton has to be changed
from

extern int ether_hostton(const char *, struct ether_addr *);

to

extern int ether_hostton(char *, struct ether_addr *);


I have a question regarding ramon. In the 2.0.6 release this was a
handy tool to quickly view the topN IP-addresses. Is this tool merged
into racluster and how is this used to display the same information as
'ramon -M TopN'?

with regards,
Joost Bijl












Carter Bullard
CEO/President
QoSient, LLC
150 E. 57th Street Suite 12D
New York, New York 10022

+1 212 588-9133 Phone
+1 212 588-9134 Fax

More information about the argus mailing list