Filtering with netmasks?
Peter Van Epp
vanepp at sfu.ca
Wed May 2 15:18:52 EDT 2007
On Wed, May 02, 2007 at 01:53:12PM -0500, K K wrote:
> We'd like to be able to generate a "Top 10 users of Internet
> bandwidth" report for traffic exchanged between internal users and
> Internet hosts. Originally I tried this with v2, and I'm now testing
> with V3.0.0. In both cases, the host OS is OpenBSD 3.9 (soon to be
> upgraded to 4.1, released yesterday).
>
> We already have the inside-edge Cisco router sending NetFlow to Argus,
> but not all the traffic crossing this router is Internet traffic, so
> I'm trying to use filter expressions to report only on the relevant
> traffic, like this:
>
> ra -r /data/argus/argus.2007.05.01.16.50.01.gz -w -
> - 'host squidproxy or host socksproxy or not ( src net 205.166.42.
> or 10. or 172.24. or 172.30.12. or 192.168. ) or not ( dst net
> 205.166.42. or 10. or 172.24. or 172.30.12. or 192.168. )' | racluster
> -M rmon -m saddr -w - | rasort -m bytes load -w - | ra -N 10 -s saddr
> daddr spkts dpkts sbytes dbytes load | tr -s " " | sed -e "s/
> 0\.0\.0\.0//"
>
That is likely because filter syntax has changed a bit.
ra3 -r com_argus -n \(src net 142.58.209.\)
10:54:58.668335 man 3032 0 22674 1 766884 40295 22674 3276032916 CON
10:54:58.668335 man 3110 0 22592 1 802514 38178 22592 3325167276 CON
10:54:58.668335 man 3364 0
which now needs to be:
ra3 -r com_argus -n \(src net 142.58.209.0/24\)
11:59:56.019915 e tcp 142.58.209.70.1168 <?> xxx.yy.zzz.aa.80 8 8 9225 1117 CON
to get the expected data. Filters of the first form worked in the
2.0 (at least 2.0.6) series but don't on 3.0.
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
More information about the argus
mailing list