argus suggestions please

Carter Bullard carter at qosient.com
Fri Oct 5 14:19:51 EDT 2007 

Hey Michael,
I think asking these questions are great!!!  As it gets examples into 
the mailing list,
where people can search etc....

So, you have a daily directory and you want a report based on IP top 
talkers.
Lets say the directory is in the standard argus archive format, and 
we'll do yesterday.
Here is the set of commands that I would use:

   racluster -R archive/2007/10/04 -M norep -w - -- ip | \
   racluster -M rmon -m saddr -w - | \
   rasort -m bytes -s saddr trans:10 sbytes:14 dbytes:14

So what does this do:
   racluster -R archive... -M norep -w - -- ip 
      This program will read in a days worth of IP data and assemble all 
the flow status
       reports into individual flow report.  We need to do this because 
you said you wanted
       to know how many flows there were.  The "-M norep" option sez 
don't report the
       merge statistics for aggregations.  This allows for a single 
record to be
       tallied as a single flow.  And we write the output to stdout.

   racluster -M rmon -m saddr -w -
      This program will read in the stream of single flow reports from 
stdin and generate
       the top talker stats.  The rmon option pushes the identifiers to 
the src fields, and
       the -m option , and write the output to stdout.

   rasort -m bytes -s saddr trans:10 sbytes:14 dbytes:14
      This program sorts the output based on total bytes for each top 
talker.
       and prints out the IP address, the number of flows, the bytes 
transmitted by
       the talker and the bytes received.

   Now if you want the top 20 talkers, you need to select the first 20 
records
   from the rasort(), to do this:
   racluster -R archive/2007/10/04 -M norep -w - -- ip | \
   racluster -M rmon -m saddr -w - | \
   rasort -m bytes -w - |\
   ra -N 20 -s saddr trans:10 sbytes:14 dbytes:14


If you try this and get something weird, send mail!!  It would be
good if we can get a "standard" set of calls that people understand.

Carter

Michael Hornung wrote:
> I have an ra reading from a remote argus collector 24x7, and every 5 
> minutes the argus file is archived; at the end of a day I have 290 
> files representing the traffic from that day.
>
> Let's say I want to make a list of the top talkers, sorted by total 
> bytes transferred.  Given those top talkers, I want to see the 
> following as text, and/or alternately graphed, for each top talker:
>
> IP
> # flows
> # bytes rcvd
> # bytes sent
>
> Can you recommend a command-line that's going to give me this?  The 
> profusion of argus utilities and a lack of examples is making this 
> hard for me.  Thanks.
>
> -Mike
>

More information about the argus mailing list