Filtering with netmasks?

K K kkadow at gmail.com
Wed May 2 14:53:12 EDT 2007


We'd like to be able to generate a "Top 10 users of Internet
bandwidth" report for traffic exchanged between internal users and
Internet hosts.  Originally I tried this with v2, and I'm now testing
with V3.0.0.  In both cases, the host OS is OpenBSD 3.9 (soon to be
upgraded to 4.1, released yesterday).

We already have the inside-edge Cisco router sending NetFlow to Argus,
but not all the traffic crossing this router is Internet traffic, so
I'm trying to use filter expressions to report only on the relevant
traffic, like this:

ra -r /data/argus/argus.2007.05.01.16.50.01.gz -w -
  - 'host squidproxy or host socksproxy or not ( src net 205.166.42.
or 10. or 172.24. or 172.30.12. or 192.168. ) or not ( dst net
205.166.42. or 10. or 172.24. or 172.30.12. or 192.168. )' | racluster
-M rmon -m saddr -w - | rasort -m bytes load -w - | ra -N 10 -s saddr
daddr spkts dpkts sbytes dbytes load | tr -s " " | sed -e "s/
0\.0\.0\.0//"

The command above almost, but not quite, works as expected. The report
is generated, but it includes data for purely internal connections
between 172.24.5.5 and 192.168.6.6 -- sessions which I'd hope the
filter would have dropped.  IOW, the goal of the filter expression is
to only count traffic from/to the proxy gateways, or where either the
source or destination IP is external.

I believe the issue is with the PCAP style filters and I'm expecting
too much from "src net" filtering.  Is there a better way to get the
desired results when the source is NetFlow?


Thanks in advance,

Kevin



More information about the argus mailing list