Flow Counting
Nick Diel
nick at engineerity.com
Tue Apr 8 14:23:40 EDT 2008
I am interested in counting number of flows for things such as source
address, IP pairs, time intervals, etc. This is closely related to Stéphane
Peters email: "Counting flows by time interval in argus."
After using racluster to merge status flow records, you have a file where a
record represents a flow. You can of course use racount with a filter to
tell you some of this information, but it seem quite impractical to do
things such as find the IP pair generating the most flows. You could also
use a set of pipes or scripts (as Stéphane Peters showed us), but this would
require modification every time you wanted something slightly different.
Maybe there is a way using ra tools to do this already and I am missing it.
If not maybe we can get racluster (when specified) or another tool to "zero
out"/set the trans count to 1 after we have merged status flow records.
This way things such as racluster -r megredRecords.argus -m saddr -s +trans
will now list how many flows for each source address.
I am curious what the group has to say about this. Is something like this
already possible? Is this information useful to other people than me?
Would modifying the trans column present too much ambiguity, i.e. "under
these circumstances the trans column can represent number of flows else it
represents aggregated record count"?
Nick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20080408/9e7a702a/attachment.html>
More information about the argus
mailing list