Fwd: racluster and TopN
VIEAU Cédric 172196
cedric.vieau at cea.fr
Fri Aug 11 10:50:52 EDT 2006
Hey Joost,
you need to add 'proto' in the list of aggregation objects when you want to aggregate on ports :
racluster -n -r /tmp/argus3.out -M rmon -m proto dport -w - - ip [...]
I've spent some time on this one before I figured it out...
Cedric
> -----Message d'origine-----
> De : argus-info-bounces at lists.andrew.cmu.edu
> À : argus-info at lists.andrew.cmu.edu; carter at qosient.com
> Objet : [ARGUS] Fwd: racluster and TopN
>
> Hi Carter,
>
> Thanks for the input
>
> the following command seems to produce a list of top IP-addresses:
>
> racluster -n -r /tmp/argus3.out -M rmon -m saddr -w - - ip |
> rasort -m bytes -w -| ra -N 20 -s saddr bytes
> xx.91.214 7737970
> xx.91.215 2573808
> xx.0.3.46 2485971
> xx.129.94 1895992
> xx.210.87 1761120
> xx.91.211 1230291
>
> if i try this however with the dport field, it doesn't get printed...
> am i doing something wrong?
>
> racluster -n -r /tmp/argus3.out -M rmon -m dport -w - - ip |
> rasort -m bytes -w -| ra -N 20 -s dport bytes
> 5012937
> 3791984
> 2986378
> 1761120
> 1017725
> 827177
> 557940
> 254517
>
> with regards
> Joost
>
>
More information about the argus
mailing list