ramon question

real.melancon at videotron.ca real.melancon at videotron.ca
Tue Oct 31 14:00:25 EST 2006


Merci Carter,

I ran a couple of tests and rasplit works like a charm. 

One last last question. To get top tcp/udp ports with ra 2.0.6 I was doing this:

/usr/local/bin/ra -r /var/log/argus/argus.out -w - | /usr/local/bin/ramon -u -M svc | egrep -v "(arp|llc|decr)" | head -n 10
1162317564  udp 1985             1564     0         96676        0
1162319601  tcp ssh              151      115       13798        20119
1162317570  udp ntp              39       30        3510         2700
1162317601  tcp 51404            13       13        2463         858
1162317677 icmp                  12       0         1176         0
1162319599 icmp                  9        0         1080         0
1162319599  udp netbios-ns       9        0         828          0
1162319604  udp domain           2        2         169          223

How can I get the same data using racluster ?

Thanks in advance.

Cheers,

Real.
(real.melancon at videotron.ca)

----- Message d'origine -----
De: Carter Bullard <carter at qosient.com>
Date: Lundi, Octobre 30, 2006 10:11 am
Objet: Re: Re : Re: [ARGUS] ramon question
À: real.melancon at videotron.ca
Cc: argus-info at lists.andrew.cmu.edu

> Allo Réal,
> So, you should be thinking about programs like rasplit(), which 
> can 
> effectively be
> used to build a filesystem of flow records. Currently my 
> suggestion 
> is to build a
> probe/yearly/monthly/daily/'every 5 minute' filesystem. This is 
> 
> reasonable for
> Unix filesystems, as the number of files in any given directory 
> doesn't get
> bigger than 288 files, which does pretty good (more files, the 
> slower 
> the directory
> parsing). Even for high speed links the size of the 5 minute 
> files 
> is reasonable,
> and so searching, indexing, whatever becomes bounded.
> 
> rasplit -r file -M time 5m -w 
> $srcid/%Y/%m/%d/argus.%Y.%m.%d.%H.% 
> M.%S
> or
> rasplit -S argi -M time 5m -w 
> $srcid/%Y/%m/%d/argus.%Y.%m.%d.%H.% 
> M.%S
> 
> you can run this type of program out of a cron job that runs 
> however 
> often as you
> like, or you can use rasplit() to be your actual collector, 
> connecting directly to
> probes, or to a radium(), that is connected to a large number of 
> 
> probes. If you
> want to try to provide real-time on-demand reports, then the 
> 'rasplit 
> () as a
> collector' is the best approach.
> 
> designing perl scripts to take a time range and find the 5 
> minute 
> files to search
> is pretty easy, and i have MySQL DB based programs that will 
> create time
> oriented indexes that allow you to find stuff very fast (trying 
> to 
> figure out how
> to share this software).
> 
> I would recommend that you start to think this way, and have a 
> good 
> dialog on
> the mailing list to try to design a very good archive.
> 
> Hope this is helpful.
> 
> Carter
> 
> 
> On Oct 27, 2006, at 1:13 PM, real.melancon at videotron.ca wrote:
> 
> > Thanks a lot for the informations Carter. I immediately 
> replaced my 
> > scripts and can now query Top Talkers & Listeners as in 
> version 2 
> > (among other things).
> >
> > I have one more question for you though:
> >
> > We need a long term solution (day/week/month) to collect Argus 
> 
> > data, which would then be used to define a QOS policy. I am 
> > thinking mostly of Layer 4 informations. (Right now we rotate 
> the 
> > argus.out file every hour (using argusarchive), because file 
> was 
> > growing too quickly and queries were getting longer and longer.)
> >
> > So. I would need your advices for a long-term collect of 
> Layer4 
> > informations we could later analyze (a little like MRTG/RRD)
> >
> > I first thought of hacking your Perl script (ragraph), which 
> builds 
> > on-the-fly RRD databases, but was wondering if you had 
> something 
> > more elegant.
> >
> > Thanks in advance!
> >
> >
> > ----- Message d'origine -----
> > De: carter at qosient.com
> > Date: Jeudi, Octobre 26, 2006 7:13 am
> > Objet: Re: [ARGUS] ramon question
> > À: real.melancon at videotron.ca
> >
> > > Hey Réal,
> > > To do a Layer 3 matrix using racluster:
> > > racluster -nu -m matrix -r file
> > >
> > > And if you want top 20 for bytes:
> > >
> > > racluster -m matrix -r file -w - |
> > > rasort -m bytes -w - | ra -nu -N 20
> > >
> > > The '-m matrix' option will modify each input record, flipping
> > > the addresses and metrics, to get the saddr to be the lesser of
> > > the 2 addresses, so that when the records are aggregated, you
> > > get a single record for each " a <-> b" pair, regardless of the
> > > direction of the set of flows.
> > >
> > > Using '-m saddr daddr' you will get a matrix, but it will be
> > > direction sensitive, so that you can get 2 records per address
> > > pair, " a <-> b" and " b <-> a".
> > >
> > > The '-M rmon' is not going help here at all, as it designed to
> > > convert bi-directional data to unidirectional data, so that you
> > > can get metrics per object. You would use this option to
> > > generate data for just "a", like a single ethernet address,
> > > single mac address, port, whatever. Since you want data for 2
> > > objects, " a & b ", the '-M rmon' option will just double all
> > > the metrics. Not good.
> > >
> > > Carter
> > >
> > > Carter Bullard
> > > QoSient LLC
> > > 150 E. 57th Street Suite 12D
> > > New York, New York 10022
> > > +1 212 588-9133 Phone
> > > +1 212 588-9134 Fax
> > >
> > > -----Original Message-----
> > > From: real.melancon at videotron.ca
> > > Date: Wed, 25 Oct 2006 20:42:42
> > > To:argus-info at lists.andrew.cmu.edu
> > > Subject: [ARGUS] ramon question
> > >
> > > Hello List,
> > >
> > > With Argus 2.0.6, I was using this command line to get Top
> > > Talkers & Listeners:
> > >
> > > #> ra -n -u -w - -r /var/log/argus/argus.out | ramon -n -u -
> M Matrix
> > >
> > > Which would display something like:
> > >
> > > Time SourceIP DestIP Spkts Dpkts Sbytes Dbytes (e.g.)
> > > 1161806363 10.5.192.250 10.5.29.71 214
> > > 214 19260 19260
> > > 1161806384 10.5.29.71 10.5.29.65 31
> > > 31 1302 1860
> > >
> > > Now, It has been replaced by racluster. Which is much more
> > > flexible. But I still can't figure out how to
> > > display the informations the same way. I tried this:
> > >
> > > racluster -M rmon -m saddr daddr -r /var/log/argus/argus.out 
> -w -
> > > - ip | rasort -m bytes -s ltime saddr daddr spkts dpkts sbytes
> > > dbytes | head -n 10
> > >
> > > 10-25-06 20:30:20.235473 10.6.104.192
> > > 10.6.110.73 81041 73984 32471550 11648835
> > > 10-25-06 20:30:20.235473 10.6.110.73
> > > 10.6.104.192 73984 81041 11648835 32471550
> > > 10-25-06 20:35:50.308809 10.6.104.200
> > > 10.6.110.133 12142 16005 5253886 16855338
> > > 10-25-06 20:35:50.308809 10.6.110.133
> > > 10.6.104.200 16005 12142 16855338 5253886
> > >
> > > But every line is duplicated (not exactly but display redundant
> > > informations) since racluster gives me both directions 
> flows. Is
> > > there any workaround ?
> > >
> > > Any help is welcomed.
> > >
> > > Real Melanson.
> > >
> > >
> > > ____________________________
> > > Réal Melançon
> >
> > ____________________________
> > Réal Melançon
> >
> 
> 
> 
> 
> 

____________________________
Réal Melançon



More information about the argus mailing list