3.0 and top talkers

Carter Bullard carter at qosient.com
Wed Sep 13 19:28:35 EDT 2006 

Hey Joost ,
   racluster -M rmon -m proto sport -r input.file -w - - ip | \
   rasort -m bytes proto sport -s stime dur proto sport spkts dpkts 
sbytes dbytes

If this doesn't do it, yell!!!

Carter

Joost Bijl wrote:

> Hi list
>
> i still have a question.
>
> On 9/12/06, Carter Bullard <carter at qosient.com> wrote:
>
>>
>> Hey Chris,
>> This function is now done using racluster().  It's almost ragator()
>> but with more functionality.  To do a top talkers for say IP addresses
>> (racluster can do it for any object in the record, top mac addrs, top
>> tos bytes, top mpls label, top vlan, top port, top ttl, etc....):
>>
>>    racluster -M rmon -m saddr -r input.file - ip
>>
>> The rmon (for the notorious RMON working group of the IETF :o)
>> option will convert bi-directional flow records to single object
>> activity records.  The object will be in the src field, so you cluster
>> on the saddr, smac, or stos, or sdsb, or smpls, or svlan, or sttl or 
>> ....
>> and of course you can mix and match, so you can have
>>
>>    racluster -M rmon -m smac saddr -r input.file - ip
>>
>> if you were interested in the MAC/IP address tuple.
>>
>> racluster sorts based on the object(s), so in this case it will give you
>> the addresses in sorted order.  If you want the top values based
>> on, say, total packets, then use rasort() to do the post processing:
>>
>>    racluster -M rmon -m saddr -r input.file -w - - ip | \
>>    rasort -m pkts -s stime dur saddr spkts dpkts sbytes dbytes state
>
>
> So this query gives me a list with 2 columns, IP-address and bytes used:
>
> $ racluster -M rmon -m saddr -r /var/log/argus/bridge0/argus.out  -w -
> - ip |    rasort -m bytes -s saddr bytes |head -20
>
> I have been playing around with the commands but can't figure out
> right now how to display the same information for the top-protocols.
> In the ideal case there would be the same output but with things like
> tcp/21, esp and udp/1433 in the first column...
>
> is this possible??
>
> with regards
> Joost
>
>
>
>>
>> to change the criteria for the 'top', change the "-m metric" on the 
>> sort.
>> For top bytes transmitted:
>>    rasort -m sbytes -s stime dur saddr spkts sbytes srate
>>
>> For top bytes received:
>>    rasort -m dbytes -s stime dur saddr dpkts dbytes drate
>>
>> If you were interested in top talkers and DiffServ markings:
>>    racluster -M rmon -m saddr dsb -r input.file - ip | \
>>    rasort -m pkts -s stime dur saddr sdsb spkts dpkts
>>
>> There are a lot of variations.  If you have problems at all, just
>> send mail to the list!!!!!!!
>>
>> Carter
>>
>>
>>
>>
>>
>> On Sep 11, 2006, at 6:49 PM, Christopher Jones wrote:
>>
>> All,
>>
>> I know that 3.0 is in beta and therefore the Argus client
>> implementation is in flux.  Is there a way in 3.0 to get the top
>> talkers like in 2.0.6 where ramon can be used with rasort to get the
>> top receivers or senders?  If this coming soon to 3.0, any ideas when?
>>
>> Thanks,
>>
>> Chris
>>
>>
>>
>>
>>
>>
>>
>

More information about the argus mailing list