3.0 and top talkers

Joost Bijl joost.bijl at gmail.com
Wed Sep 13 11:18:01 EDT 2006 

Hi list

i still have a question.

On 9/12/06, Carter Bullard <carter at qosient.com> wrote:
>
> Hey Chris,
> This function is now done using racluster().  It's almost ragator()
> but with more functionality.  To do a top talkers for say IP addresses
> (racluster can do it for any object in the record, top mac addrs, top
> tos bytes, top mpls label, top vlan, top port, top ttl, etc....):
>
>    racluster -M rmon -m saddr -r input.file - ip
>
> The rmon (for the notorious RMON working group of the IETF :o)
> option will convert bi-directional flow records to single object
> activity records.  The object will be in the src field, so you cluster
> on the saddr, smac, or stos, or sdsb, or smpls, or svlan, or sttl or ....
> and of course you can mix and match, so you can have
>
>    racluster -M rmon -m smac saddr -r input.file - ip
>
> if you were interested in the MAC/IP address tuple.
>
> racluster sorts based on the object(s), so in this case it will give you
> the addresses in sorted order.  If you want the top values based
> on, say, total packets, then use rasort() to do the post processing:
>
>    racluster -M rmon -m saddr -r input.file -w - - ip | \
>    rasort -m pkts -s stime dur saddr spkts dpkts sbytes dbytes state

So this query gives me a list with 2 columns, IP-address and bytes used:

$ racluster -M rmon -m saddr -r /var/log/argus/bridge0/argus.out  -w -
- ip |    rasort -m bytes -s saddr bytes |head -20

I have been playing around with the commands but can't figure out
right now how to display the same information for the top-protocols.
In the ideal case there would be the same output but with things like
tcp/21, esp and udp/1433 in the first column...

is this possible??

with regards
Joost



>
> to change the criteria for the 'top', change the "-m metric" on the sort.
> For top bytes transmitted:
>    rasort -m sbytes -s stime dur saddr spkts sbytes srate
>
> For top bytes received:
>    rasort -m dbytes -s stime dur saddr dpkts dbytes drate
>
> If you were interested in top talkers and DiffServ markings:
>    racluster -M rmon -m saddr dsb -r input.file - ip | \
>    rasort -m pkts -s stime dur saddr sdsb spkts dpkts
>
> There are a lot of variations.  If you have problems at all, just
> send mail to the list!!!!!!!
>
> Carter
>
>
>
>
>
> On Sep 11, 2006, at 6:49 PM, Christopher Jones wrote:
>
> All,
>
> I know that 3.0 is in beta and therefore the Argus client
> implementation is in flux.  Is there a way in 3.0 to get the top
> talkers like in 2.0.6 where ramon can be used with rasort to get the
> top receivers or senders?  If this coming soon to 3.0, any ideas when?
>
> Thanks,
>
> Chris
>
>
>
>
>
>
>

More information about the argus mailing list