parsing argus data for top destination ports
ScottO
skippylou at gmail.com
Thu Nov 29 15:39:47 EST 2007
Works great now Carter! Thanks!
Carter Bullard wrote:
> Hey Scott,
> Two things we need to change.
>
> Remove the "-M rmon" call, since you want to tally the destination port. The "rmon" mode basically removes the direction in the flow records.
>
> The ports are only meaningful when you also have the proto field, so modify your "-m dport" to "-m proto dport". And you should consider a filter to pick up just the udp and tcp traffic. "-- tcp oer udp".
>
> Because you may get 2 entries for a given port (one for udp and one foer tcp) you may also want to print the proto field.
>
> That should help!!!
>
> Carter
>
>
> Carter Bullard
> QoSient LLC
> 150 E. 57th Street Suite 12D
> New York, New York 10022
> +1 212 588-9133 Phone
> +1 212 588-9134 Fax
>
> -----Original Message-----
> From: ScottO <skippylou at gmail.com>
>
> Date: Wed, 28 Nov 2007 14:49:58
> To:argus-info at lists.andrew.cmu.edu
> Subject: [ARGUS] parsing argus data for top destination ports
>
>
> I am trying to go through an argus data capture, tally up the # of bytes
> and sort by destination port - basically to see a most traffic goes to
> which destination port # type list in a give chunk of time. I have the
> following, it pulls a top 20 of the bytes, but no destination ports or
> anything else get printed. I'm sure it is something stupid I'm doing,
> and hope an extra set of eyes will point me in the right direction.
>
> racluster -R /data/argus/arg_cap_11280700 -M rmon -m dport -w - | rasort
> -m bytes -w - | ra -N 20 -s dport bytes:14
>
> Output ends up looking like:
> 38663442816
> 14960249022
> 14815537634
> 12783448957
> 5963030683
> 5832721488
> 2398252032
> 2398205907
> ...<snip>...
>
> Thanks in advance.
>
> Scott
>
More information about the argus
mailing list