parsing argus data for top destination ports

Thu Nov 29 15:30:43 EST 2007

Hey Scott,
Two things we need to change.

Remove the "-M rmon" call, since you want to tally the destination port.  The "rmon" mode basically removes the direction in the flow records.

The ports are only meaningful when you also have the proto field, so modify your "-m dport" to "-m proto dport".  And you should consider a filter to pick up just the udp and tcp traffic.  "-- tcp oer udp".

Because you may get 2 entries for a given port (one for udp and one foer tcp) you may also want to print the proto field.

That should help!!!

Carter

Carter Bullard
QoSient LLC
150 E. 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax

-----Original Message-----
From: ScottO <skippylou at gmail.com>

Date: Wed, 28 Nov 2007 14:49:58 
To:argus-info at lists.andrew.cmu.edu
Subject: [ARGUS] parsing argus data for top destination ports

I am trying to go through an argus data capture, tally up the # of bytes 
  and sort by destination port - basically to see a most traffic goes to 
which destination port # type list in a give chunk of time.  I have the 
following, it pulls a top 20 of the bytes, but no destination ports or 
anything else get printed.  I'm sure it is something stupid I'm doing, 
and hope an extra set of eyes will point me in the right direction.

racluster -R /data/argus/arg_cap_11280700 -M rmon -m dport -w - | rasort 
-m bytes -w - | ra -N 20 -s dport bytes:14

Output ends up looking like:
           38663442816
           14960249022
           14815537634
           12783448957
            5963030683
            5832721488
            2398252032
            2398205907
	   ...<snip>...

Thanks in advance.

Scott