Argus-info Digest, Vol 27, Issue 21

CS Lee geek00l at gmail.com
Thu Nov 29 19:56:00 EST 2007 

Hi Scott,

It depends on what you want, but for example if you want to find out most
traffic goes to
which destination port(not the traffic that originated by the destination
port but the most bytes that sent by the src to the dst port) in your
network 192.168.5.0/24, you can do something like this -

racluster -m proto dport -r whatever.pcap -w - - dst net 192.168.5.0/24 | \
rasort -m sbytes -w - | \
ra -L0 -N 10 -n -s sbytes dport
SrcBytes  Dport
        8212 1025
        6034 1026
        1700 1027
        1700 1028
        1700 1029
        1288 2745
        1116 4899
        1054 5554
         978 80
         836 1434

That way you will see the incoming bytes that goes to your destination port
in network 192.168.5.0. I don't think it's good idea to use -M rmon here
unless you want to do which port has most bytes. Maybe Carter can give you
the best idea.

Cheers ;]




On Nov 30, 2007 1:00 AM, <argus-info-request at lists.andrew.cmu.edu> wrote:

> Send Argus-info mailing list submissions to
>        argus-info at lists.andrew.cmu.edu
>
> To subscribe or unsubscribe via the World Wide Web, visit
>        https://lists.andrew.cmu.edu/mailman/listinfo/argus-info
> or, via email, send a message with subject or body 'help' to
>        argus-info-request at lists.andrew.cmu.edu
>
> You can reach the person managing the list at
>        argus-info-owner at lists.andrew.cmu.edu
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Argus-info digest..."
>
>
> Today's Topics:
>
>   1.  parsing argus data for top destination ports (ScottO)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 28 Nov 2007 14:49:58 -0500
> From: ScottO <skippylou at gmail.com>
> Subject: [ARGUS] parsing argus data for top destination ports
> To: argus-info at lists.andrew.cmu.edu
> Message-ID: <474DC666.8000006 at gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> I am trying to go through an argus data capture, tally up the # of bytes
>  and sort by destination port - basically to see a most traffic goes to
> which destination port # type list in a give chunk of time.  I have the
> following, it pulls a top 20 of the bytes, but no destination ports or
> anything else get printed.  I'm sure it is something stupid I'm doing,
> and hope an extra set of eyes will point me in the right direction.
>
> racluster -R /data/argus/arg_cap_11280700 -M rmon -m dport -w - | rasort
> -m bytes -w - | ra -N 20 -s dport bytes:14
>
> Output ends up looking like:
>           38663442816
>           14960249022
>           14815537634
>           12783448957
>            5963030683
>            5832721488
>            2398252032
>            2398205907
>           ...<snip>...
>
> Thanks in advance.
>
> Scott
>
>
> ------------------------------
>
> _______________________________________________
> Argus-info mailing list
> Argus-info at lists.andrew.cmu.edu
> https://lists.andrew.cmu.edu/mailman/listinfo/argus-info
>
>
> End of Argus-info Digest, Vol 27, Issue 21
> ******************************************
>



-- 
Best Regards,

CS Lee<geekooL[at]gmail.com>

http://geek00l.blogspot.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20071130/6487dc66/attachment.html>

More information about the argus mailing list