3.0 and top talkers

Carter Bullard carter at qosient.com
Mon Sep 11 22:43:09 EDT 2006


Hey Chris,
This function is now done using racluster().  It's almost ragator()
but with more functionality.  To do a top talkers for say IP addresses
(racluster can do it for any object in the record, top mac addrs, top
tos bytes, top mpls label, top vlan, top port, top ttl, etc....):

    racluster -M rmon -m saddr -r input.file - ip

The rmon (for the notorious RMON working group of the IETF :o)
option will convert bi-directional flow records to single object
activity records.  The object will be in the src field, so you cluster
on the saddr, smac, or stos, or sdsb, or smpls, or svlan, or sttl  
or ....
and of course you can mix and match, so you can have

    racluster -M rmon -m smac saddr -r input.file - ip

if you were interested in the MAC/IP address tuple.

racluster sorts based on the object(s), so in this case it will give you
the addresses in sorted order.  If you want the top values based
on, say, total packets, then use rasort() to do the post processing:

    racluster -M rmon -m saddr -r input.file -w - - ip | \
    rasort -m pkts -s stime dur saddr spkts dpkts sbytes dbytes state

to change the criteria for the 'top', change the "-m metric" on the  
sort.
For top bytes transmitted:
    rasort -m sbytes -s stime dur saddr spkts sbytes srate

For top bytes received:
    rasort -m dbytes -s stime dur saddr dpkts dbytes drate

If you were interested in top talkers and DiffServ markings:
    racluster -M rmon -m saddr dsb -r input.file - ip | \
    rasort -m pkts -s stime dur saddr sdsb spkts dpkts

There are a lot of variations.  If you have problems at all, just
send mail to the list!!!!!!!

Carter




On Sep 11, 2006, at 6:49 PM, Christopher Jones wrote:

> All,
>
> I know that 3.0 is in beta and therefore the Argus client
> implementation is in flux.  Is there a way in 3.0 to get the top
> talkers like in 2.0.6 where ramon can be used with rasort to get the
> top receivers or senders?  If this coming soon to 3.0, any ideas when?
>
> Thanks,
>
> Chris
>




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20060911/05cf174f/attachment.html>


More information about the argus mailing list