Most efficient way to generate summary traffic report
Carter Bullard
carter at qosient.com
Fri Apr 13 10:36:45 EDT 2007
Hey toddmichael,
If you can handle perl, you can do what you're interested in in one
pass.
In the clients package there are two programs, raports and rahosts.
These
programs parse data files and build associative arrays for various data
elements. You could modify it to do your percent load type of reports,
and also do the mapping from IP address, or ethernet address, to your
group assignments.
If your not interested in that, you can use rabins() to do what you
want,
with some post processing. Say you want the metrics between class
C networks every hour:
rabins -M soft time 1h -m matrix/24
Say you just want to know the in and out counts per subnet:
rabins -M rmon soft time 1h -m saddr/24 -s stime saddr spkts dpkts
These will give you the basic data and you can build the percents. You
can use something like excel in a pinch to give you percent over the
time
period. You can also do stuff with perl, awk, etc .....
Give that a try and see if its getting close to providing what you're
interested in. If there some other support that would do it all,
send some
mail and we'll see what we can do.
Carter
On Apr 12, 2007, at 4:03 PM, toddmichael wrote:
> Just started working with Argus after reading about it in Richard
> Bejtlich's Tao of NSM book. He's right - this tool is fantastic!
> To get me started I am running argus on a span port to gather
> everything I need. At this point, my plan is to let it run for
> about a week for the purpose of gathering some statistics regarding
> Internet usage. I have an Internet pipe that is used for standard
> Internet usage and also for inter-office vpn connectivity. I'm
> trying to generate a report which shows the percentage of our
> Internet traffic which is to/from:
>
> office1
> office2
> datacenter1
> datacenter2
> all other
>
> so I can report to management on how much is inter-office VPN vs
> all-other. I know I can do this using racount with perl or shell,
> but it requires many passes over the same file ( i.e. using filter
> of -t -24h net 192.168.x.x to find out traffic to/from 192.168.x.x
> in the past 24 hours) which is quite large and thus would be pretty
> inefficient. Before going this route I'm wondering if there's a
> way to gather this info in a more efficient way (using 1 or 2
> passes rather than 5+) using either racount or the numerous other
> utilities. I appreciate your guidance.
>
> toddmichael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20070413/c538bb63/attachment.html>
More information about the argus
mailing list