Fwd: racluster and TopN

carter at qosient.com carter at qosient.com
Fri Aug 11 12:47:18 EDT 2006 

Hey Joost/Cedric,
Cedric is indeed correct, because ports really apply only to TCP, UDP, and ICMP traffic.  If you throw away this info, the printing routines don't have any idea how to decode the port values.   So, "-m proto dport" is the way to go.

But when you want direction specific data you don't want to use the '-M rmon' option, as it is designed specifically to remove direction semantics.   

For dport stats, try this:

   racluster -r file -m proto dport -w - |
   rasort -m pkts -s dport pkts

If on the other hand you want the top N ports, regardless of direction:

   racluster -r file -M rmon -m proto sport -w - |
   rasort -m pkts -s sport pkts

With the 'rmon' option, the data of interest resides in the "s(rc)" fields.
 
Hope this is helpful,

Carter

Carter Bullard
QoSient LLC
150 E. 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax  

-----Original Message-----
From: VIEAU Cédric 172196 <cedric.vieau at cea.fr>
Date: Fri, 11 Aug 2006 16:50:52 
To:"Joost Bijl" <joost.bijl at gmail.com>
Cc:argus-info at lists.andrew.cmu.edu
Subject: RE: [ARGUS] Fwd: racluster and TopN

Hey Joost,

you need to add 'proto' in the list of aggregation objects when you want to aggregate on ports :

racluster -n -r /tmp/argus3.out -M rmon -m proto dport -w - - ip [...]

I've spent some time on this one before I figured it out...

Cedric


> -----Message d'origine-----
> De : argus-info-bounces at lists.andrew.cmu.edu 
> À : argus-info at lists.andrew.cmu.edu; carter at qosient.com
> Objet : [ARGUS] Fwd: racluster and TopN
> 
> Hi Carter,
> 
> Thanks for the input
> 
> the following command seems to produce a list of top IP-addresses:
> 
> racluster -n -r /tmp/argus3.out -M rmon -m saddr -w - - ip |  
> rasort -m bytes -w -|  ra -N 20 -s saddr bytes
> xx.91.214    7737970
> xx.91.215    2573808
> xx.0.3.46    2485971
> xx.129.94    1895992
> xx.210.87    1761120
> xx.91.211    1230291
> 
> if i try this however with the dport field, it doesn't get printed...
> am i doing something wrong?
> 
> racluster -n -r /tmp/argus3.out -M rmon -m dport -w - - ip |  
> rasort -m bytes -w -|  ra -N 20 -s dport bytes
>           5012937
>           3791984
>           2986378
>           1761120
>           1017725
>            827177
>            557940
>            254517
> 
> with regards
> Joost
> 
>

More information about the argus mailing list