ramon question
real.melancon at videotron.ca
real.melancon at videotron.ca
Fri Oct 27 13:13:48 EDT 2006
Thanks a lot for the informations Carter. I immediately replaced my scripts and can now query Top Talkers & Listeners as in version 2 (among other things).I have one more question for you though:We need a long term solution (day/week/month) to collect Argus data, which would then be used to define a QOS policy. I am thinking mostly of Layer 4 informations. (Right now we rotate the argus.out file every hour (using argusarchive), because file was growing too quickly and queries were getting longer and longer.)So. I would need your advices for a long-term collect of Layer4 informations we could later analyze (a little like MRTG/RRD)I first thought of hacking your Perl script (ragraph), which builds on-the-fly RRD databases, but was wondering if you had something more elegant.Thanks in advance!----- Message d'origine -----De: carter at qosient.comDate: Jeudi, Octobre 26, 2006 7:13 amObjet: Re: [ARGUS] ramon questionÀ: real.melancon at videotron.ca> Hey Réal,> To do a Layer 3 matrix using racluster:> racluster -nu -m matrix -r file> > And if you want top 20 for bytes:> > racluster -m matrix -r file -w - |> rasort -m bytes -w - | ra -nu -N 20 > > The '-m matrix' option will modify each input record, flipping > the addresses and metrics, to get the saddr to be the lesser of > the 2 addresses, so that when the records are aggregated, you > get a single record for each " a <-> b" pair, regardless of the > direction of the set of flows.> > Using '-m saddr daddr' you will get a matrix, but it will be > direction sensitive, so that you can get 2 records per address > pair, " a <-> b" and " b <-> a".> > The '-M rmon' is not going help here at all, as it designed to > convert bi-directional data to unidirectional data, so that you > can get metrics per object. You would use this option to > generate data for just "a", like a single ethernet address, > single mac address, port, whatever. Since you want data for 2 > objects, " a & b ", the '-M rmon' option will just double all > the metrics. Not good.> > Carter> > Carter Bullard> QoSient LLC> 150 E. 57th Street Suite 12D> New York, New York 10022> +1 212 588-9133 Phone> +1 212 588-9134 Fax > > -----Original Message-----> From: real.melancon at videotron.ca> Date: Wed, 25 Oct 2006 20:42:42 > To:argus-info at lists.andrew.cmu.edu> Subject: [ARGUS] ramon question> > Hello List,> > With Argus 2.0.6, I was using this command line to get Top > Talkers & Listeners:> > #> ra -n -u -w - -r /var/log/argus/argus.out | ramon -n -u -M Matrix> > Which would display something like:> > Time SourceIP DestIP Spkts Dpkts Sbytes Dbytes (e.g.)> 1161806363 10.5.192.250 10.5.29.71 214 > 214 19260 19260> 1161806384 10.5.29.71 10.5.29.65 31 > 31 1302 1860> > Now, It has been replaced by racluster. Which is much more > flexible. But I still can't figure out how to > display the informations the same way. I tried this:> > racluster -M rmon -m saddr daddr -r /var/log/argus/argus.out -w -> - ip | rasort -m bytes -s ltime saddr daddr spkts dpkts sbytes > dbytes | head -n 10> > 10-25-06 20:30:20.235473 10.6.104.192 > 10.6.110.73 81041 73984 32471550 11648835> 10-25-06 20:30:20.235473 10.6.110.73 > 10.6.104.192 73984 81041 11648835 32471550> 10-25-06 20:35:50.308809 10.6.104.200 > 10.6.110.133 12142 16005 5253886 16855338> 10-25-06 20:35:50.308809 10.6.110.133 > 10.6.104.200 16005 12142 16855338 5253886> > But every line is duplicated (not exactly but display redundant > informations) since racluster gives me both directions flows. Is > there any workaround ?> > Any help is welcomed.> > Real Melanson.> > > ____________________________> Réal Melançon
____________________________
Réal Melançon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20061027/d83c1eb7/attachment.html>
More information about the argus
mailing list