Wikified ! ( but rabins question remains ) [Re: Counting flows by time interval in argus

Stéphane Peters stephane.peters at forem.be
Wed Apr 9 07:12:08 EDT 2008 

Hello Nick,

this is a nice example, clean, direct to the point!

It has been put on the wiki :
    http://www.vorant.com/nsmwiki/Argus#Examples
Feel free to add more stuff to the wiki.

I still find a difference in the counts; perhaps does it come from rabins ?
More investigation to come ...

Here are some small comparisons of a sample of records : rabins has 
added 10 trans in 7333 records
> file=stripped.ra
> % racount -r $file
> racount   records     total_pkts     src_pkts       dst_pkts       
> total_bytes        src_bytes          dst_bytes
>     sum   *7334*        107877         54241          53636          
> 38921003           6407386            32513617
> % ra -nr $file  -s trans - ip | uniq -c
>       1  Trans
>    *7333*      1
> % ra -nr $file  -s trans pkts spkts dpkts bytes sbytes dbytes - ip | tot
> *7,333*k  107,877k        54,241k 53,636k 38,921m 6,40739m        32,5136m
> % rabins -r $file -M soft time 10m -m srcid -s stime trans | tot
> 259     311    * 7,343*k
I don't know why rabins has counted 7343 trans instead of 7333,
even why does racount talk about 7334 instead of 7333.




Nick Diel a écrit :
> I wanted to add in a solution Carter just showed me so it was part of 
> this thread if anyone was searching.
>
> This example assumes you have already merged status flow records, so 
> records = flows, if not add another pipe of racluster.
>
> rastrip -r $file -M -agr -w - | rabins -M soft time 10m -m srcid -s 
> stime trans -c , -F raTime.conf > flowcounts.csv
>
> raTime.conf contents (you could also add this to your rarc file):
> RA_TIME_FORMAT="%H:%M"
>
> If you have multiple collectors, you can have rabins merge on 
> something else such as proto if you are filtering on tcp.
>
> Nick
>
>
> On Wed, Mar 26, 2008 at 1:04 PM, Stéphane Peters 
> <stephane.peters at forem.be <mailto:stephane.peters at forem.be>> wrote:
>
>     Hello,
>
>     Here is an example of counting flows I have just used,
>     to compare print flows seen by argus (filtered on port 9100)
>     with print requests seen by our batch server (found in a csv file).
>     Both lists have been feed in a spreadsheet to make a nice graphic
>     comparison.
>
>     If someone sees a better way to do this within ra* clients without
>     the unixes filters,
>     I will be happy to see how to do it.
>
>     Example saved on the wiki:
>
>         Count flows by groups of 10 minutes : show only the flow start
>         times, cut after the 10ths of minutes, add a trailing zero and
>         delete heading spaces to show a nice HH:MM line, count them,
>         invert columns, insert a delimitor.  Ready to be feed in your
>         favorite spreadsheet.
>          ra -s stime -p 0 -nr $file |\
>            cut -c -7 |\
>            uniq -c | \
>            sed -e 's/$/0/' \
>                -e 's/^ *//' \
>                -e 's/\(.*\) *\(.*\)/\2,\1/' > flowcounts.csv
>
>
Regards,

-- 
Stephane.Peters at forem.be, Postmaster at forem.be

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20080409/5b0533cf/attachment.html>

More information about the argus mailing list