ratop
CS Lee
geek00l at gmail.com
Tue Oct 23 10:42:20 EDT 2007
Hi Carter,
Thanks for the reminder(I think I have my racluster file screwed), the one
time command parsing seems to be right -
argus -U 512 -mAJRr loadbalance.pcap -w - | \
racluster -nM norep -w - | \
racluster -M norep rmon -m smac saddr daddr -w - - appbytes gt 0 |\
racluster -m smac saddr -s +1smac +2dmac - src net 10.0.0.0/24 and not dst
net 10.0.0.0/24 and src pkts gt 0
19:33:06.063023 0:1b:77:5b:f4:3f 0:50:e8:2:3d:ca e
ip 10.0.0.46 <-> 0.0.0.0 3
3 629 198 CON
I understand this part now and proceed to learn the latter part in the
script, thanks a lot!
On 10/23/07, Carter Bullard <carter at qosient.com> wrote:
>
> Hey CS Lee,OK, I do not get the results you get on any machine I have.
> I suspect that your loadbalance.racluster file has data from prior runs in
> it.
> Just as a reminder all the ra* programs append data to existing files, so
> you have to make sure that the intermediate files are empty, or
> non-existent.
>
> When I pipe the data I get the correct results.
>
> If this is not the issue, then what versions of client code are you
> running?
>
> racluster -M norep -r load*arg -s +1smac +2dmac
> StartTime SrcMac DstMac Flgs Proto
> SrcAddr Sport Dir DstAddr Dport TotPkts TotBytes
> State
> 07:33:06.063023 0:1b:77:5b:f4:3f 0:50:e8:2:3d:ca e tcp
> 10.0.0.46.36024 -> 216.67.244.22.http 6 827
> RST
> 07:33:27.653232 0:1b:77:5b:f4:3f 0:50:e8:2:3d:ca e tcp
> 10.0.0.46.45640 -> 216.67.244.22.http 4 278
> RST
> 07:33:57.899913 0:1b:77:5b:f4:3f 0:50:e8:2:3d:ca e tcp
> 10.0.0.46.2540 -> 216.67.244.22.http 3 168
> RST
> 07:33:58.907789 0:1b:77:5b:f4:3f 0:50:e8:2:3d:ca e tcp
> 10.0.0.46.2541 -> 216.67.244.22.http 3 168
> RST
> 07:33:59.915817 0:1b:77:5b:f4:3f 0:50:e8:2:3d:ca e tcp
> 10.0.0.46.2542 -> 216.67.244.22.http 3 168
> RST
> 07:34:00.923744 0:1b:77:5b:f4:3f 0:50:e8:2:3d:ca e tcp
> 10.0.0.46.2543 -> 216.67.244.22.http 3 168
> RST
> 07:34:01.931729 0:1b:77:5b:f4:3f 0:50:e8:2:3d:ca e tcp
> 10.0.0.46.2544 -> 216.67.244.22.http 3 168
> RST
> 07:34:02.939714 0:1b:77:5b:f4:3f 0:50:e8:2:3d:ca e tcp
> 10.0.0.46.2545 -> 216.67.244.22.http 3 168
> RST
>
>
> racluster -M norep -r load*arg -w - | racluster -M norep rmon -m smac
> saddr daddr -s +1smac +2dmac - appbytes gt 0
> StartTime Mac DstMac Flgs Proto
> Host Sport Dir DstAddr Dport TotPkts TotBytes
> State
> 07:33:06.063023 0:1b:77:5b:f4:3f 0:50:e8:2:3d:ca e ip
> 10.0.0.46 <-> 216.67.244.22 6 827
> CON
> 07:33:06.063023 0:50:e8:2:3d:ca 0:1b:77:5b:f4:3f e ip
> 216.67.244.22 <-> 10.0.0.46 6 827
> CON
>
> racluster -M norep -r load*arg -w - | racluster -M norep rmon -m smac
> saddr daddr -w - - appbytes gt 0 | racluster -m smac saddr -s +1smac +2dmac
> - src net 10.0.0.0/24 and not dst net 10.0.0.0/24 and src pkts gt 0
> StartTime SrcMac DstMac Flgs Proto
> SrcAddr Sport Dir DstAddr Dport TotPkts TotBytes
> State
> 07:33:06.063023 0:1b:77:5b:f4:3f 0:50:e8:2:3d:ca e ip
> 10.0.0.46 <-> 0.0.0.0 6 827
> CON
>
> And the final result should be:
>
> racluster -M norep -r load*arg -w - | racluster -M norep rmon -m smac
> saddr daddr -w - - appbytes gt 0 | racluster -L-1 -m smac saddr -s saddr -
> src net 10.0.0.0/24 and not dst net 10.0.0.0/24 and src pkts gt 0
>
> 10.0.0.46
>
> This is your internal IP address list that sent data to potential
> external scanners.
>
> Carter
>
>
>
>
>
>
>
>
> On Oct 23, 2007, at 1:07 AM, CS Lee wrote:
>
> racluster -M norep rmon -m smac saddr daddr -r loadbalance.racluster -w -
> - appbytes gt 0
>
>
>
--
Best Regards,
CS Lee<geekooL[at]gmail.com>
http://geek00l.blogspot.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20071023/b0830499/attachment.html>
More information about the argus
mailing list