racount status and its definition
Carter Bullard
carter at qosient.com
Tue Jun 20 11:04:01 EDT 2006
Hey Robin et al.,
You have become the target of anything racount() related ;o)
So, in trying to understand if the "-M proto" option is useful,
I realized that all of the old racount() functions are supported
by racluster(), so I don't want to duplicate features, so I may
end up redefining racount(), but keeping its default behavior.
What I will do for now is leave it as it is, no -A support, but
with the "-M addr" option and then figure out what to do after
that based on the lists opinion.
I use racount as a quick and dirty way of seeing how big is
an argus data file, and to check if programs like racluster()
preserve the counts when it aggregates records, so the
default mode is great, but we can also generate the exact same
output using racluster(), you just have to type more on the
command line to get the output right. Same goes for the old -a option:
The older racount() functions can be done in racluster() as:
racount -r file
racluster -r file -m srcid -s trans pkts spkts dpkts bytes sbytes
dbytes
racount -ar file
racluster -r file -m proto -s proto trans pkts spkts dpkts bytes
sbytes dbytes
Now, with the '-M addr', we have a unique counting situation,
and so that seems appropriate, and I think there should be more
counting things to do, like ports, mac address types (vendor ids),
that kind of thing.
So, opinions? If we could discuss the counting requirements, that
might help define racount a bit.
Carter
More information about the argus
mailing list