create monthly overview

Robin Gruyters r.gruyters at yirdis.nl
Wed Jun 7 03:02:29 EDT 2006 

Thanks for the info. At this point I rather wait for argus v3.0. Can't  
wait to dive into it! ;)

Regards,

Robin Gruyters
Network and Security Engineer
Yirdis B.V.
I: http://yirdis.com
P: +31 (0)36 5300394
F: +31 (0)36 5489119

Quoting Carter Bullard <carter at qosient.com>:

> Hey Russell and Robin,
>    Yes, in fact, I gave CMU the first copy of argus-3.0 for a sanity check
> on Friday.   I think it passed.  I still have some work to do on the clients,
> so hopefully this week, I'll have the first round ready.
>
>    Russell is right, ragator() is the way to do it in argus-2.0.
> Because some subnet's will have longer masks than others,
> be sure and have a separate line to specify the mask length
> for the subnets of interest.   If you need help, just holler.
>
>    In argus-3.0, you will do this using racluster().  It is designed
> to do most of what you want on the command line rather than
> having to have a complex configuration file strategy like
> ragator uses.  For racluster() you would do:
>
>    racluster -M rmon -m proto saddr/16 - ip
>
> this will read all the ip data, modifying the records to track single IP
> addresses  (the '-M rmon') instead of flows, and to aggregate the
> flows based on proto and CIDR address (when you use the 'rmon'
> option, the unique address is in the saddr field).   There are many
> options for racluster().
>
> If you wanted different subnets to have different CIDR mask lengths,
> you would do passes, one to aggregate on the IP address, and then
> another pass to aggregate into the subnets of interest.   racluster()
> supports a configuration file that allows you to have lots of directives.
> To do this pipe two raclusters together:
>
>    racluster -M rmon -m saddr proto -w - - ip | racluster -f conf.file
>
> where conf.file contains lines like:
>    filter="src net 10.23.0.0/16" model="proto saddr/16"
>    filter="src net 10.12.0.0/16" model="proto saddr/23"
>    filter=""                                     model="proto saddr/24"
>
>
> Hopefully I'll have argus-clients-3.0.0.rc.1 out soon enough for
> you to use (maybe this week, maybe next week).   As soon as I
> do that, argus-3.0 will be the version that we'll answer questions
> to on the list (unless there is a compelling reason).  It will be able
> to process argus-2.x data, so it should work for you.
>
> Carter
>
>
>
> On Jun 6, 2006, at 2:54 PM, Russell Fulton wrote:
>
>>
>>
>> Robin Gruyters wrote:
>>> Hi ya,
>>>
>>> I'm looking for a way to generate a monthly overview which contains
>>> total bytes per protocol of each (sub)net range. (ragator, rmon, rsort,
>>> ... ?!)
>>
>> ragator will do this simply set up a config file that aggregates by
>> subnet and then run it over the months logs. (you may find it easier to
>> do this day by day and then combine the daily files).
>>
>> Ah, there is one twist -- I think you will need make two passes, one
>> selecting flows where your network is source and one where it is
>> destination.
>>
>>>
>>> Can anyone help me with this?
>>> I'm also looking for a site which has collected all the "latest" patches
>>> for argus version 2.0.6.
>>>
>> The only argus repository is qosient.com. Carter is polishing 3.0 at the
>> moment and that will hopefully be available soon.
>>
>> Russell
>>
>
> Carter Bullard
> CEO/President
> QoSient, LLC
> 150 E. 57th Street Suite 12D
> New York, New York 10022
>
> +1 212 588-9133 Phone
> +1 212 588-9134 Fax

More information about the argus mailing list