Squid

CS Lee geek00l at gmail.com
Thu Feb 14 22:13:51 EST 2008 

Hi Robert,

The record looks right, you shouldn't use the filter - dst host proxy-ip
here. Argus is flow based tool so it will generate the flow and determine
the direction of source and destination. So if that's squid proxy, I guess
it should be in source address field as it initiated the network session.
Therefore these two records look correct -

racount -r outfileint.out-as-of-14-feb - src host
10.2.32.24
racount   records     total_pkts     src_pkts       dst_pkts
total_bytes        src_bytes          dst_bytes
   sum   197461      5371435        2522843        2848592
2638478509         471342533          2167135976

[root at localhost home]# racount -r outfileint.out-as-of-14-feb - host
10.2.32.24
racount   records     total_pkts     src_pkts       dst_pkts
total_bytes        src_bytes          dst_bytes
   sum   198585      5375452        2525465        2849987
2639516532         472268373          2167248159

You notice source packets mean the packets sent by 10.2.32.24 and
destination packets mean the packets sent by the destination host to
10.2.32.24. Same principle applies to the source bytes and destination bytes
as well.

You shouldn't use dst host 10.2.32.24 as filter because that means you are
filtering the flow where 10.2.32.24 in destination address field(which means
not 10.2.32.24 initiated the network session).

Cheers ;]



Message: 3
Date: Thu, 14 Feb 2008 04:08:55 +0000 (UTC)
From: Robert Leyba <r_leyba14 at yahoo.com>
Subject: [ARGUS] src and dest appear to be reversed?
To: argus-info at lists.andrew.cmu.edu
Message-ID: <loom.20080214T040045-960 at post.gmane.org>
Content-Type: text/plain; charset=us-ascii

Hi, We wanted to start monitoring the traffic volume pasing through our web
proxy (squid) server (at 10.2.32.24). We are monitoring a port on the switch
that links our internal network to the internet (via a firewall).  When I
tried
the commands below, I was expecting the proxy server to be sending out only
a
small % of the traffic to external web sites and should be receiving
gigabytes
of traffic from external site to itself.  But from printout below, it
"appears"
that squid is sending out a lot of traffic and receiving only little, which
is
the exact opposite of what we are expecting. Any clarifications would be
most
appreciated.


1st line below: Total bytes with squid as the dest: 1,038,023
2nd line below: Total bytes with squid as source: 2,638,478,509
3rd line below: Just a check if src + dest = total, and yest it checks out.



root at localhost home]# racount -r outfileint.out-as-of-14-feb - dst host
10.2.32.24
racount   records     total_pkts     src_pkts       dst_pkts
total_bytes        src_bytes          dst_bytes
   sum   1125        4017           2622           1395
1038023            925840             112183
[root at localhost home]# racount -r outfileint.out-as-of-14-feb - src host
10.2.32.24
racount   records     total_pkts     src_pkts       dst_pkts
total_bytes        src_bytes          dst_bytes
   sum   197461      5371435        2522843        2848592
2638478509         471342533          2167135976

[root at localhost home]# racount -r outfileint.out-as-of-14-feb - host
10.2.32.24
racount   records     total_pkts     src_pkts       dst_pkts
total_bytes        src_bytes          dst_bytes
   sum   198585      5375452        2525465        2849987
2639516532         472268373          2167248159


-- 
Best Regards,

CS Lee<geek00L[at]gmail.com>

http://geek00l.blogspot.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20080215/b2778352/attachment.html>

More information about the argus mailing list