raxml help

tbh tbh1000 at gmail.com
Thu Jan 24 13:40:23 EST 2008 

Carter,
Thanks for the feedback. Taking a look at the TopN suggestions, I'm
running into a problem getting the ports to display.

racluster -r /usr/local/argus/argus-eth1.2008.01.24.10.00.00.gz -M
rmon -m sport -w - -- ip | rasort -m bytes -w - | ra -nn -N 5 -s sport
bytes:20

Gives me the following:
                   16533767
                   16131223
                   14024461
                   13655259
                   13393841

As you can see, the sport value is missing.

To make sure I understand the commands correctly, the racluster
command is reading the argus zipped file, consolidating the data by
sport and writing the result to stdout. rasort is reading the output
from racluster and sorting the data by bytes...writing the results to
stdout. ra is reading the output from rasort, not performing host or
port resolution, and printing the top 5 results including only the
sport field and the bytes field (out to 20 characters), right?

If I replace the -m sport with -m saddr, ra prints the saddr and
bytes. If I remove the -m sport from racluster, ra prints the port
numbers ( although it obviously is not consolidating the data based on
sport). What am I missing?

Thanks!
tbh

On 1/23/08, Carter Bullard <carter at qosient.com> wrote:
> Hey tbh,
> No "-s all" specification, but in the ./common/Config directory there is
> a rarc style file that has all the fields in it, which gets the job
> done.  Give
> that a parameter to the ra() call in the end.
>
> The excel.rc file does the csv, but it also formats any time fields to
> excel formats.  If you don't need that, since you aren't printing any
> time fields, you can just pass a "-c ," parameter to your ra() command,
> without the "-f excel.rc" parameter.
>
> Your TopN command gives you the TopN flows.  You may want to
> play with TopN hosts, TopN ports, TopN nets by making some
> changes to the racluster() call.
>   TopN hosts  - "racluster -M rmon -m saddr -r file -w - -- ip"
>   TopN ports  - "racluster -M rmon -m sport -r file -w - -- ip"
>   TopN nets   -  "racluster -M rmon -m saddr/16 -r file -w - -- ip"
>
> you would pipe those through the rasort() and then use ra() to print
> out the object.
>
>   TopN hosts -  "ra -s saddr bytes:20"
>   TopN ports - "ra -s sport bytes:20"
>   TopN nets - "ra -s snet/16 bytes:20"
>
> Carter
>
> tbh wrote:
> > Thanks for the quick reply! Doh! Not sure why I missed the -M xml
> > option! I'll play with that a bit and see how it works.
> >
> > As for the best way to present the data, I'm certainly open to
> > suggestions. Perhaps a simpler solution is to output the data to csv
> > and import it into Excel/Access. Currently, (and I'll reiterate my
> > newbie status) I'm using rasplit to break my output file into multiple
> > files based on 1 hour increments (it seems to improve the performance
> > when I pull data instead of using the -t time option). To pull
> > toptalkers, I use:
> >
> > racluster -r /usr/local/argus/argus-eth0<time value> -M norep -w - --
> > ip | rasort -m bytes -w - | ra -nn  -N 25 -s bytes:20 daddr dport
> > dbytes:20 trans:10 saddr sport sbytes:20
> >
> > The output gives me the top 25 talkers. If I were to include -F
> > excel.rc in the ra command, that should output the data as a csv.
> > Something like:
> >
> > racluster -r /usr/local/argus/argus-eth0<time value> -M norep -w - --
> > ip | rasort -m bytes -w - | ra -F excel.rc -nn  -N 25 -s bytes:20
> > daddr dport dbytes:20 trans:10 saddr sport sbytes:20 > top25.csv
> >
> > Out of curiousity (and sort of thinking out loud) is there a -s ALL
> > option? Or would I need to add each field separately?
> >
> > Anyways, I should then be able to pull the top25.csv file into Excel
> > and massage the data into charts/graphs. Or, is there a better
> > (simpler) way?
> >
> > Thanks again!
> > tbh
> >
> > On 1/23/08, Carter Bullard <carter at qosient.com> wrote:
> >
> >> Hey Tbh,
> >> The xml support is embedded in all the ra* programs now.
> >> The "-M xml" option will generate xml output, but ......
> >> the support is not yet complete.  raxml() would print out
> >> the entire argus record content, the new scheme is designed
> >> to use the "-s field ..." option to specify what data would
> >> be printed.  Because of these changes,  the schema needs
> >> to be updated.  If you are interested in the xml data output,
> >> please give it a try and send comments on what is missing
> >> or how we could do it better.
> >>
> >> I don't think xml will provide you any better support than
> >> just a report or table output, like ratop() provides, if you're
> >> problem is communicating network concepts like top talkers,
> >> service utilization, etc...   You will need to think about graphing,
> >> and viz methods for showing some data types, but xml on its
> >> own, will not do anything for you.
> >>
> >> Please keep this dialog up on the list if you're interested in
> >> finding the best way to present certain types of data.  I
> >> think the discussion will help me and the argus community
> >> a great deal.
> >>
> >> For TopN talkers,  isn't a table with the talker id,, in some
> >> order of topness, and the metrics of interest a good start?
> >>
> >>
> >> Carter
> >>
> >> tbh wrote:
> >>
> >>> I'm relatively new to argus, having been using it for about a month
> >>> now. I've got it up and running fine and am able to pull data with the
> >>> ra clients just fine. However, I've seen references in the docs and
> >>> list to raxml. Yet, I can't seem to find it in the latest (rc.67 or
> >>> rc.66) versions of the ra clients. Has it been removed?
> >>>
> >>> What I'm ultimately looking for is a way to present various aspects of
> >>> the flow data (ie top-talkers, service utilization, etc.) to
> >>> management. I assume XML is the best path to start down.
> >>>
> >>> Thanks in advance!
> >>>
> >>> tbh
> >>>
> >>>
> >>>
> >>
> >
> >
>
>

More information about the argus mailing list