Counting flows by time interval in argus

[Nick Diel]

I wanted to add in a solution Carter just showed me so it was part of this
thread if anyone was searching.

This example assumes you have already merged status flow records, so records
= flows, if not add another pipe of racluster.

rastrip -r $file -M -agr -w - | rabins -M soft time 10m -m srcid -s stime
trans -c , -F raTime.conf > flowcounts.csv

raTime.conf contents (you could also add this to your rarc file):
RA_TIME_FORMAT="%H:%M"

If you have multiple collectors, you can have rabins merge on something else
such as proto if you are filtering on tcp.

Nick


On Wed, Mar 26, 2008 at 1:04 PM, Stéphane Peters <stephane.peters at forem.be>
wrote:

> Hello,
>
> Here is an example of counting flows I have just used,
> to compare print flows seen by argus (filtered on port 9100)
> with print requests seen by our batch server (found in a csv file).
> Both lists have been feed in a spreadsheet to make a nice graphic
> comparison.
>
> If someone sees a better way to do this within ra* clients without the
> unixes filters,
> I will be happy to see how to do it.
>
> Example saved on the wiki:
>
> > Count flows by groups of 10 minutes : show only the flow start times,
> > cut after the 10ths of minutes, add a trailing zero and delete heading
> > spaces to show a nice HH:MM line, count them, invert columns, insert a
> > delimitor.  Ready to be feed in your favorite spreadsheet.
> >  ra -s stime -p 0 -nr $file |\
> >    cut -c -7 |\
> >    uniq -c | \
> >    sed -e 's/$/0/' \
> >        -e 's/^ *//' \
> >        -e 's/\(.*\) *\(.*\)/\2,\1/' > flowcounts.csv
> >
>
> Regards,
>
> --
> Stephane.Peters at forem.be, Postmaster at forem.be
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20080408/12204074/attachment.html>