Determining what a user is doing

Barry Kolts bhkolts at gotrain.org
Tue Jul 8 21:00:59 EDT 2008


Hi Everyone,

I am new to Argus and have found the mailing list, wiki and C.S. Lee's blogs very informative, but I find myself in the state of "information overload" and need a little guidance. 
I can find the top user with this command that I found in my reading:

racluster -M rmon -m saddr -R <input_dir> -t <start_time>-<end_time> -w - ip | rasort -m bytes -w -  |\
ra -s saddr sbytes dbytes bytes - net <ip_range>

Now that I know who the top user is, if his usage is high I want to know what he is doing. I would like to know who (what ip) he is talking to, whether he is uploading or downloading files. What destination port he talking to. The purpose of all this is we are a small ISP starting  wireless broadband service to the rural part of our county.  We have to monitor bandwidth like everyone else and if need to know if a heavy user is just downloading a big file or is on a p2p network or just has a virus. I think Argus can provide this information, I just not sure how to do it. I think Argus will help us monitor the overall health of our network and will be very useful. I would like to thank all who make this possible. 

Thanks in advance for any help,
Barry

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20080708/a3b603a8/attachment.html>


More information about the argus mailing list