looking for host that sending mosts bytes
CS Lee
geek00l at gmail.com
Fri May 11 00:55:22 EDT 2007
Hey all,
I'm looking for a way to track out which host send out most bytes in the
network(not total bytes of the whole flow but total sbytes), I think to
track the single metric from one side and I should use rmon, hence I tried
this command -
racluster -L0 -nnr http-largefile.arg -M rmon -s stime saddr daddr sbytes
dbytes
StartTime Host DstAddr OutBytes
InBytes
10:42:55.679844 88.198.153.75 192.168.0.24 8001957
340637
10:42:55.679844 192.168.0.24 88.198.153.75 340637
8001957
As the whole session last around 20 minutes, I tried with rabins
rabins -L0 -nnr http-largefile.arg -M rmon soft time 20m -s stime saddr
sbytes dbytes
StartTime Host OutBytes InBytes
10:40:00.000000 192.168.0.24 340637 8001957
10:40:00.000000 88.198.153.75 8001957 340637
So this is shown corrently where 88.198.153.75 sends out the most bytes
which is 8001957 and 192.168.0.24 only sends out 340637 bytes. However when
I use rasort to sort the source bytes -
racluster -L0 -nnr http-largefile.arg -M rmon -w - | rasort -m sbytes -s
saddr daddr sbytes
192.168.0.24 88.198.153.75 8001957
192.168.0.24 88.198.153.75 340637
This doesn't seems to be right. If i just want the flow that contains the
highest bytes I shouldn't have to use rmon and that's pretty simple to track
but I can't get it right when I just want to track the metric of one side.
The purpose of this is to track the topN talker that sending out most bytes,
or maybe most packets when possible.
I can use this command but the record is not aggregated -
racluster -L0 -nnr http-largefile.arg -M rmon -m sbytes -s stime saddr daddr
sbytes dbytes
StartTime Host DstAddr OutBytes
InBytes
10:55:58.995562 88.198.153.75 192.168.0.24 710066
30032
10:45:56.612563 88.198.153.75 192.168.0.24 655562
25768
10:44:56.585148 88.198.153.75 192.168.0.24 649506
27266
10:53:58.059295 88.198.153.75 192.168.0.24 561694
23068
10:51:57.595715 88.198.153.75 192.168.0.24 554124
22434
10:52:57.774880 88.198.153.75 192.168.0.24 529900
23460
10:49:57.309883 88.198.153.75 192.168.0.24 523844
22800
10:56:59.007757 88.198.153.75 192.168.0.24 507190
22378
10:47:56.964138 88.198.153.75 192.168.0.24 495078
20966
10:55:58.995562 192.168.0.24 88.198.153.75 30032
710066
10:44:56.585148 192.168.0.24 88.198.153.75 27266
649506
10:45:56.612563 192.168.0.24 88.198.153.75 25768
655562
10:52:57.774880 192.168.0.24 88.198.153.75 23460
529900
10:53:58.059295 192.168.0.24 88.198.153.75 23068
561694
........truncated
Then finally I get an idea that aggregation can be done on multiple objects
at the same time -
racluster -L0 -nnr http-largefile.arg -M rmon -m sbytes saddr daddr -s stime
saddr sbytes
StartTime Host OutBytes
10:42:55.679844 88.198.153.75 8001957
10:42:55.679844 192.168.0.24 340637
And now I have the host that sending out the most bytes in sequence and I
can do the same with packets -
racluster -L0 -nnr http-largefile.arg -M rmon -m spkts saddr daddr -s stime
saddr spkts
StartTime Host OutPkts
10:42:55.679844 88.198.153.75 5289
10:42:55.679844 192.168.0.24 4912
I'm not really sure whether I'm right in this sense but sharing out with the
people in mailing lists, if you know better(correct) way of doing this,
please do let me know. Btw I'm confuse with rasort output though. Maybe
Carter can shade some lights :)
Thanks.
--
Best Regards,
CS Lee<geekooL[at]gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20070511/72b5585f/attachment.html>
More information about the argus
mailing list