poking with racluster and rasort
CS Lee
geek00l at gmail.com
Fri May 11 04:07:29 EDT 2007
Hey all,
So you want statistic for the widely used protocols, and how you can do that
to get the topN statistic for the network services that running in your
network, you can cluster it with racluster and parse it to rasort like this
-
racluster -t 2007y04m20d9H+10M -L0 -nn -r argus-test.arg -M rmon -m proto
dport -s dport sbytes dbytes -w - - tcp and dst net 192.168.5.0/24 | rasort
-m sbytes -s stime proto dport spkts dpkts sbytes dbytes | head -n 11
StartTime Proto Dport SrcPkts DstPkts SrcBytes DstBytes
07/04/20 09:00:00 6 25 346944 221943 400849756 14829953
07/04/20 09:00:00 6 80 437804 559626 70375778 636675919
07/04/20 09:00:00 6 2492 33743 17595 50937888 1164805
07/04/20 09:00:00 6 0 25953 15337 39069745 1068111
07/04/20 09:00:00 6 110 450922 756981 27863431 552961436
07/04/20 09:00:18 6 0 13378 9111 19929731 561435
07/04/20 09:00:05 6 0 28940 19633 18223973 8835968
07/04/20 09:00:00 6 0 13157 7091 17747818 802160
07/04/20 09:00:00 6 0 26844 13611 17123407 830530
07/04/20 09:00:00 6 1533 31691 31121 16501480 12002408
I use head here but you are free to use ra -N, there you are sorting by
source bytes, and you may notice oddness in rasort dport field. How about we
do this instead -
racluster -t 2007y04m20d9H+10M -L0 -nn -r argus-test.arg -M rmon -m sbytes
proto dport -s stime proto dport spkts dpkts sbytes dbytes - tcp or udp and
dst net 192.168.5.0/24 | head -n 11
StartTime Proto Dport OutPkts InPkts OutBytes InBytes
07/04/20 09:00:00 tcp smtp 346944 221943 400849756 14829953
07/04/20 09:00:00 tcp http 437804 559626 70375778 636675919
07/04/20 09:00:00 tcp 2492 33743 17595 50937888 1164805
07/04/20 09:00:00 tcp 46677 25953 15337 39069745 1068111
07/04/20 09:00:00 tcp pop3 450922 756981 27863431 552961436
07/04/20 09:00:18 tcp supfil 13378 9111 19929731 561435
07/04/20 09:00:05 tcp 1056 28940 19633 18223973 8835968
07/04/20 09:00:00 tcp 1054 13157 7091 17747818 802160
07/04/20 09:00:00 tcp 1040 26844 13611 17123407 830530
07/04/20 09:00:00 tcp virtua 31691 31121 16501480 12002408
Instead of just cluster using proto dport, I use -m sbytes proto dport, and
the field name also making more sense of the traffics that flowing into or
out from 192.168.5.0/24 network. And the dport field is displayed correctly.
You can get the top packets statistic too -
racluster -t 2007y04m20d9H+10M -L0 -nn -r argus-test.arg -M rmon -m spkts
proto dport -s stime proto dport spkts dpkts sbytes dbytes - tcp or udp and
dst net 192.168.5.0/24 | head -n 11
StartTime Proto Dport OutPkts InPkts OutBytes InBytes
07/04/20 09:00:00 tcp pop3 450922 756981 27863431 552961436
07/04/20 09:00:00 tcp http 437804 559626 70375778 636675919
07/04/20 09:00:00 tcp smtp 346944 221943 400849756 14829953
07/04/20 09:00:00 tcp 2492 33743 17595 50937888 1164805
07/04/20 09:00:00 tcp virtua 31691 31121 16501480 12002408
07/04/20 09:00:05 tcp 1056 28940 19633 18223973 8835968
07/04/20 09:01:01 tcp 2394 27746 13938 16076344 836809
07/04/20 09:00:00 tcp 1040 26844 13611 17123407 830530
07/04/20 09:00:00 udp domain 26292 26142 2383648 5878133
07/04/20 09:00:00 tcp 46677 25953 15337 39069745 1068111
Now you may notice pop3 leads in spkts count. Just use -m spkts proto dport
will do. You can actually ignore the stime here as it doesn't make more
sense when you just want to generate overall statistic.
I'm not sured whether I hit the resort bug but it doesn't show the dport
properly when sorting.
Thanks.
--
Best Regards,
CS Lee<geekooL[at]gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20070511/a9aa15b7/attachment.html>
More information about the argus
mailing list