racluster -M rmon: how to use it?

carter at qosient.com carter at qosient.com
Thu Feb 22 08:32:49 EST 2007 

Hey Wolfgang,
You're so close!!!!  But you need to specify the object using the -m option!!.  The "-M rmon" option works by duplicating the record, reversing all the fields and then merging.  So specify the object:
    "-m smac" - by interface
    "-m svlan" - by vlan
    "-m smpls" - by mpls label
    "-m saddr" - by IP address
    "-m proto sport" - by port
    "-m smac sdsb" - by diffserv label

So if you want to aggregate based on interface, then use:

   -M rmon -m smac

This will give you in/out stats based on interface.  When you print/graph the records, you will want to print the smac field, so the full command:

   racluster -M rmon -m smac -s smac spkt dpkts sbytes dbytes

should give you what you're looking for.

So how could we improve this??

Carter

Carter Bullard
QoSient LLC
150 E. 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax  

-----Original Message-----
From: wob at swobspace.de (Wolfgang Barth)
Date: Wed, 21 Feb 2007 19:58:33 
To:argus-info at lists.andrew.cmu.edu
Subject: [ARGUS] racluster -M rmon: how to use it?

Hi,

I have some problem to unterstand how racluster -M rmon (should) work. I
want to plot inbound/outbound traffic - not src/dst traffic.

I'm using something like this:

racluster -M rmon -r argus.log - \
   srcid elibridge_dmz and src host 172.17.132.81 \
   and dst host 172.17.130.2 and tcp dst port 80 and tcp src port 1415

The output is:

2007-02-21 08:15:27.658658 tcp 172.17.132.81.1415 -> 172.17.130.2.www \
                            9       13         1055        11936   FIN
2007-02-21 08:15:27.658658 tcp 172.17.130.2.www  -> 172.17.132.81.1415 \
                           13        9        11936         1055   FIN

The flow is duplicated. Okay, if RMON works this way, how can I filter out
inbound and outbound traffic?

A simple 'ragraph bytes -M 10s -M rmon ...' shows a symetric graph with
inbound = src+dst = outbound. 

Is there a way to show what is coming in/going out related to the
interface?

Wolfgang
-- 
<wob (at) swobspace de> * http://www.swobspace.de

More information about the argus mailing list