TopN question
carter at qosient.com
carter at qosient.com
Thu Sep 28 13:40:43 EDT 2006
Hey Robin,
So, if you are looking for top src address based on src bytes in a collection of records
racluster -m saddr -w - -R 2006/09/28 - ip | rasort -m sbytes
If you want top address, regardless of direction,
racluster -M rmon -m saddr -w - -R 2006/09/28 - ip | rasort -m sbytes
The "-M rmon" folds the src and dst addresses together, putting the values into the saddr field.
With the rmon option, the daddr becomes irrelevant, and so you should not include it. Also, "-m" options define the flow key, while putting a metric in the key is ok, your command will track flows, merging them together only when the bytes (and the other fields) are the same, probably not what your interested in.
Carter
Carter Bullard
QoSient LLC
150 E. 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax
-----Original Message-----
From: Robin Gruyters <r.gruyters at yirdis.nl>
Date: Thu, 28 Sep 2006 17:17:56
To:Argus <argus-info at lists.andrew.cmu.edu>
Subject: [ARGUS] TopN question
Hi ya,
I'm trying to build a TopN list based on src address and amount of
(src) bytes:
[...]
racluster -M rmon -m proto saddr sport daddr bytes -w - -R 2006/09/28 - ip | \
rasort -m saddr sbytes -s stime ltime proto saddr sport daddr spkts
dpkts sbytes dbytes
[...]
Is this the right way, or am I completely on the wrong track...
Also if people have more examples to build nice lists, please share
them with us..
Regards,
Robin Gruyters
Network and Security Engineer
Yirdis B.V.
I: http://yirdis.com
P: +31 (0)36 5300394
F: +31 (0)36 5489119
More information about the argus
mailing list