create monthly overview

Carter Bullard carter at qosient.com
Tue Jun 6 16:44:52 EDT 2006 

Hey Russell and Robin,
    Yes, in fact, I gave CMU the first copy of argus-3.0 for a sanity  
check
on Friday.   I think it passed.  I still have some work to do on the  
clients,
so hopefully this week, I'll have the first round ready.

    Russell is right, ragator() is the way to do it in argus-2.0.
Because some subnet's will have longer masks than others,
be sure and have a separate line to specify the mask length
for the subnets of interest.   If you need help, just holler.

    In argus-3.0, you will do this using racluster().  It is designed
to do most of what you want on the command line rather than
having to have a complex configuration file strategy like
ragator uses.  For racluster() you would do:

    racluster -M rmon -m proto saddr/16 - ip

this will read all the ip data, modifying the records to track single IP
addresses  (the '-M rmon') instead of flows, and to aggregate the
flows based on proto and CIDR address (when you use the 'rmon'
option, the unique address is in the saddr field).   There are many
options for racluster().

If you wanted different subnets to have different CIDR mask lengths,
you would do passes, one to aggregate on the IP address, and then
another pass to aggregate into the subnets of interest.   racluster()
supports a configuration file that allows you to have lots of  
directives.
To do this pipe two raclusters together:

    racluster -M rmon -m saddr proto -w - - ip | racluster -f conf.file

where conf.file contains lines like:
    filter="src net 10.23.0.0/16" model="proto saddr/16"
    filter="src net 10.12.0.0/16" model="proto saddr/23"
    filter=""                                     model="proto saddr/24"


Hopefully I'll have argus-clients-3.0.0.rc.1 out soon enough for
you to use (maybe this week, maybe next week).   As soon as I
do that, argus-3.0 will be the version that we'll answer questions
to on the list (unless there is a compelling reason).  It will be able
to process argus-2.x data, so it should work for you.

Carter



On Jun 6, 2006, at 2:54 PM, Russell Fulton wrote:

>
>
> Robin Gruyters wrote:
>> Hi ya,
>>
>> I'm looking for a way to generate a monthly overview which contains
>> total bytes per protocol of each (sub)net range. (ragator, rmon,  
>> rsort,
>> ... ?!)
>
> ragator will do this simply set up a config file that aggregates by
> subnet and then run it over the months logs. (you may find it  
> easier to
> do this day by day and then combine the daily files).
>
> Ah, there is one twist -- I think you will need make two passes, one
> selecting flows where your network is source and one where it is
> destination.
>
>>
>> Can anyone help me with this?
>> I'm also looking for a site which has collected all the "latest"  
>> patches
>> for argus version 2.0.6.
>>
> The only argus repository is qosient.com. Carter is polishing 3.0  
> at the
> moment and that will hopefully be available soon.
>
> Russell
>

Carter Bullard
CEO/President
QoSient, LLC
150 E. 57th Street Suite 12D
New York, New York 10022

+1 212 588-9133 Phone
+1 212 588-9134 Fax

More information about the argus mailing list