looking for host that sending mosts bytes
Carter Bullard
carter at qosient.com
Fri May 11 09:49:44 EDT 2007
Hey CS Lee,
The TopN talker is very simple, and racluster does the correct
job, but when you use the "-M rmon" mode, the destination
objects in the flow key are not valid, so don't print the "daddr"
field when you use the "-M rmon" option. I will fix this in
argus-clients-3.0.2, after the initial release.
you should try:
racluster -M rmon -r filename -m saddr -w output.out
I also like:
racluster -M rmon -r filename -m smac saddr -w output.out
as this will provide the bindings of the IP address with the
ethernet address; additional information that is great to have
around. (you can find out if an ethernet address is acting as
a router, or if an interface has multiple address types; ipv4
address and ipv6 address).
or if you were interested in what DiffServ markings a particular
IP address was using, and you wanted to know the load, rate
and loss values per DiffServ Class:
racluster -M rmon -r filename -m smac saddr stos -w output.out
Now with the output.out file, you can ask for the TopN talkers
on any field:
Top 20 sbytes: rasort -r output.out -m sbytes -w - | ra -N 20
Top 20 spkts: rasort -r output.out -m spkts -w - | ra -N 20
Top 20 rate: rasort -r output.out -m rate -w - | ra -N 20
everything seems to be working as it is suppose to, but you have
mangled the command options in the "not aggregated" problem
you mention.
> racluster -L0 -nnr http-largefile.arg -M rmon -m sbytes -s stime
> saddr daddr sbytes dbytes
With this command you are attempting to merge records together if
the "sbytes" value is the same. You are saying you want the aggregation
"key" to be the value of the sbytes field in the records. if
racluster()
supported this option, it would provide basically a histogram of offered
bytes per status interval. This is actually the job of rahisto().
rahisto -H sbytes 50:0-10M
While this is a very interesting statistic, racluster() does not
support these
fields yet. These are the keywords that racluster supports, from the
manpage:
-m aggregation object
Supported aggregation objects are:
none use a null flow key.
srcid argus source identifier.
smac source mac(ether) addr.
dmac destination mac(ether) addr.
smpls source mpls label.
dmpls destination label addr.
svlan source vlan label.
dvlan destination vlan addr.
saddr/[l|m] source IP addr/[cidr len | m.a.s.k].
daddr/[l|m] destination IP addr/[cidr len | m.a.s.k].
matrix/l sorted src and dst IP addr/cidr len.
proto transaction protocol.
sport source port number.
dport destination port number.
stos source TOS byte value.
dtos destination TOS byte value.
sttl src -> dst TTL value.
dttl dst -> src TTL value.
stcpb src -> dst TCP base sequence number.
dtcpb dst -> src TCP base sequence number.
inode intermediate node, source of ICMP
mapped events.
and yes you can have any number of them in the "-m ...." option.
Keywords, other than what is in the list, are ignored, so your
"sbytes" and "spkts" example aren't affecting the output.
Its your "-s fields" option that is generating the different views into
the same data.
Don't hesitate to send this type of mail to the list, it helps in the
design
of the tools to see how you want to try to use it.
Carter
PS.
You only need the "-L0" option for the program that is
actually printing values, so when you use the "-w ",
the "-L0" option is ignored.
On May 11, 2007, at 12:55 AM, CS Lee wrote:
> Hey all,
>
> I'm looking for a way to track out which host send out most bytes
> in the network(not total bytes of the whole flow but total sbytes),
> I think to track the single metric from one side and I should use
> rmon, hence I tried this command -
>
> racluster -L0 -nnr http-largefile.arg -M rmon -s stime saddr daddr
> sbytes dbytes
> StartTime Host DstAddr
> OutBytes InBytes
> 10:42:55.679844 88.198.153.75 192.168.0.24
> 8001957 340637
> 10:42:55.679844 192.168.0.24 88.198.153.75
> 340637 8001957
>
> As the whole session last around 20 minutes, I tried with rabins
>
> rabins -L0 -nnr http-largefile.arg -M rmon soft time 20m -s stime
> saddr sbytes dbytes
> StartTime Host OutBytes InBytes
> 10:40:00.000000 192.168.0.24 340637 8001957
> 10:40:00.000000 88.198.153.75 8001957 340637
>
> So this is shown corrently where 88.198.153.75 sends out the most
> bytes which is 8001957 and 192.168.0.24 only sends out 340637
> bytes. However when I use rasort to sort the source bytes -
>
> racluster -L0 -nnr http-largefile.arg -M rmon -w - | rasort -m
> sbytes -s saddr daddr sbytes
> 192.168.0.24 88.198.153.75 8001957
> 192.168.0.24 88.198.153.75 340637
>
> This doesn't seems to be right. If i just want the flow that
> contains the highest bytes I shouldn't have to use rmon and that's
> pretty simple to track but I can't get it right when I just want to
> track the metric of one side. The purpose of this is to track the
> topN talker that sending out most bytes, or maybe most packets when
> possible.
>
> I can use this command but the record is not aggregated -
>
> racluster -L0 -nnr http-largefile.arg -M rmon -m sbytes -s stime
> saddr daddr sbytes dbytes
> StartTime Host DstAddr
> OutBytes InBytes
> 10:55:58.995562 88.198.153.75 192.168.0.24
> 710066 30032
> 10:45:56.612563 88.198.153.75 192.168.0.24
> 655562 25768
> 10:44:56.585148 88.198.153.75 192.168.0.24
> 649506 27266
> 10:53:58.059295 88.198.153.75 192.168.0.24
> 561694 23068
> 10:51:57.595715 88.198.153.75 192.168.0.24
> 554124 22434
> 10:52:57.774880 88.198.153.75 192.168.0.24
> 529900 23460
> 10:49:57.309883 88.198.153.75 192.168.0.24
> 523844 22800
> 10:56:59.007757 88.198.153.75 192.168.0.24
> 507190 22378
> 10:47:56.964138 88.198.153.75 192.168.0.24
> 495078 20966
> 10:55:58.995562 192.168.0.24 88.198.153.75
> 30032 710066
> 10:44:56.585148 192.168.0.24 88.198.153.75
> 27266 649506
> 10:45:56.612563 192.168.0.24 88.198.153.75
> 25768 655562
> 10:52:57.774880 192.168.0.24 88.198.153.75
> 23460 529900
> 10:53:58.059295 192.168.0.24 88.198.153.75
> 23068 561694
> ........truncated
>
> Then finally I get an idea that aggregation can be done on multiple
> objects at the same time -
>
> racluster -L0 -nnr http-largefile.arg -M rmon -m sbytes saddr daddr
> -s stime saddr sbytes
> StartTime Host OutBytes
> 10:42:55.679844 88.198.153.75 8001957
> 10:42: 55.679844 192.168.0.24 340637
>
> And now I have the host that sending out the most bytes in sequence
> and I can do the same with packets -
>
> racluster -L0 -nnr http-largefile.arg -M rmon -m spkts saddr daddr -
> s stime saddr spkts
> StartTime Host OutPkts
> 10:42:55.679844 88.198.153.75 5289
> 10:42:55.679844 192.168.0.24 4912
>
> I'm not really sure whether I'm right in this sense but sharing out
> with the people in mailing lists, if you know better(correct) way
> of doing this, please do let me know. Btw I'm confuse with rasort
> output though. Maybe Carter can shade some lights :)
>
> Thanks.
>
> --
> Best Regards,
>
> CS Lee<geekooL[at]gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20070511/ade6be33/attachment.html>
More information about the argus
mailing list