Squid

[Robert Leyba]

CS Lee <geek00l <at> gmail.com> writes:

> 
> Hi Robert,The record looks right, you shouldn't use the filter - dst host 
proxy-ip here. Argus is flow based tool so it will generate the flow and 
determine the direction of source and destination. So if that's squid proxy, I 
guess it should be in source address field as it initiated the network session. 
Therefore these two records look correct -racount -r outfileint.out-as-of-14-
feb - src host10.2.32.24
> 
> racount   records     total_pkts     src_pkts       dst_pkts
> 
> total_bytes        src_bytes          dst_bytes
> 
>     sum   197461      5371435        2522843        2848592
> 
> 2638478509         471342533          2167135976
> 
> [root <at> localhost home]# racount -r outfileint.out-as-of-14-feb - host 
10.2.32.24
> 
> racount   records     total_pkts     src_pkts       dst_pkts
> 
> total_bytes        src_bytes          dst_bytes
> 
>     sum   198585      5375452        2525465        2849987
> 
> 2639516532         472268373          2167248159You notice source packets 
mean the packets sent by 10.2.32.24 and destination packets mean the packets 
sent by the destination host to 10.2.32.24. Same principle applies to the 
source bytes and destination bytes as well. You shouldn't use dst host 
10.2.32.24 as filter because that means you are filtering the flow where 
10.2.32.24 in destination address field(which means not 10.2.32.24 initiated 
the network session).Cheers ;]Message: 3
> Date: Thu, 14 Feb 2008 04:08:55 +0000 (UTC)
> From: Robert Leyba <r_leyba14 <at> yahoo.com>
> Subject: [ARGUS] src and dest appear to be reversed?
> To: argus-info <at> lists.andrew.cmu.edu
> Message-ID: <loom.20080214T040045-960 <at> post.gmane.org>
> Content-Type: text/plain; charset=us-ascii
> Hi, We wanted to start monitoring the traffic volume pasing through our web
> proxy (squid) server (at 10.2.32.24). We are monitoring a port on the switch
> that links our internal network to the internet (via a firewall).  When I 
tried
> the commands below, I was expecting the proxy server to be sending out only a
> small % of the traffic to external web sites and should be receiving gigabytes
> of traffic from external site to itself.  But from printout below, 
it "appears"
> that squid is sending out a lot of traffic and receiving only little, which is
> the exact opposite of what we are expecting. Any clarifications would be most
> appreciated.
> 1st line below: Total bytes with squid as the dest: 1,038,023
> 2nd line below: Total bytes with squid as source: 2,638,478,509
> 3rd line below: Just a check if src + dest = total, and yest it checks out.
> root <at> localhost home]# racount -r outfileint.out-as-of-14-feb - dst 
host10.2.32.24
> racount   records     total_pkts     src_pkts       dst_pkts
> total_bytes        src_bytes          dst_bytes
>     sum   1125        4017           2622           1395
> 1038023            925840             112183
> [root <at> localhost home]# racount -r outfileint.out-as-of-14-feb - src 
host10.2.32.24
> racount   records     total_pkts     src_pkts       dst_pkts
> total_bytes        src_bytes          dst_bytes
>     sum   197461      5371435        2522843        2848592
> 2638478509         471342533          2167135976
> [root <at> localhost home]# racount -r outfileint.out-as-of-14-feb - host 
10.2.32.24
> racount   records     total_pkts     src_pkts       dst_pkts
> total_bytes        src_bytes          dst_bytes
>     sum   198585      5375452        2525465        2849987
> 2639516532         472268373          2167248159-- Best Regards,CS Lee<geek00L
[at]gmail.com>http://geek00l.blogspot.com



HI CS, sorry for the very late acknowledgement, but thanks very much for your 
reply.   Things are clarified now.

--robert