Determining what a user is doing

Carter Bullard carter at qosient.com
Tue Jul 8 22:54:37 EDT 2008


Hey Barry,
You are starting to get into what argus is all about, so I think that  
is great!!!
Each of the questions you are asking are really just different views  
of the data,
and racluster() is the starting point for answers to many of your  
questions.

This is not the only tool, but its the first one that I would suggest
that you pay attention to.

So lets look at the first question on your list:
    1. Who is the top talker talking to.

There are only a few things that you need to specify before you can  
tackle this
problem.  The first is when.  All views into network activity data  
need to be
bounded in time, so lets say we're interested in this morning between  
10 am
and 12 noon.  This is all we need to answer who.  I'll assume the data  
we
are going to be analyzing is in the file argusData, and that our top  
talker
is x.y.z.w.

    racluster -m saddr daddr -r argusData -t 10-12 \
       -s stime dur flgs saddr daddr spkts dpkts sbytes dbytes state \
       - host x.y.z.w

Now, the trick to the whole analysis is the "-m saddr daddr" option to  
racluster.
This is saying
    "merge records together that have the same src address and dst  
address"

The resulting data set are all the X -> Y's, where your host x.y.z.w is
involved.  An example of the output you will get is something like:

anubis:files carter$ racluster -m saddr daddr -S localhost -N 50 -s  
stime dur flgs saddr dir daddr spkts dpkts sbytes dbytes - host  
192.168.0.67
                  StartTime        Dur      Flgs            SrcAddr    
Dir            DstAddr  SrcPkts  DstPkts     SrcBytes     DstBytes
2008/07/08.21:57:34.492027  30.568201  e               192.168.0.1   <- 
 >       192.168.0.67       27       27         2591         3752
2008/07/08.21:57:34.255124   1.172060  e              192.168.0.67   <- 
 >       17.148.16.40       21       12         1904         3187
2008/07/08.21:58:00.181514   5.676227  e              192.168.0.67   <- 
 >       192.168.0.66       14       14         1463         1529
2008/07/08.21:57:52.536502  13.260313  e              192.168.0.67   <- 
 >       192.168.0.68       29       28         3297         3120
2008/07/08.21:57:35.453208  35.455856  e              192.168.0.67   <- 
 >       192.168.0.76      371      371        24486       164522
2008/07/08.21:57:35.907764   1.000130  e              192.168.0.67    - 
 >      192.168.0.255        2        0          348            0
2008/07/08.21:57:34.254925  32.211288  e              192.168.0.67   <- 
 >     216.92.197.167       67       41        11824        14934
2008/07/08.21:58:05.657226   0.100227  e              192.168.0.67    - 
 >        224.0.0.251        2        0          182            0

So these are all the machines that interacted with one of my  
workstations over a period
of say 35 seconds, just now.  If I was interested in just the list of  
machines that talked
to my machine, I would do this:

anubis:files carter$ racluster -m saddr -M rmon -S localhost -N 50 -w  
- - host 192.168.0.67 | \
         rasort -m pkts -s stime dur flgs saddr spkts dpkts sbytes  
dbytes - not src host 192.168.0.67
                  StartTime        Dur      Flgs            SrcAddr   
SrcPkts  DstPkts     SrcBytes     DstBytes
2008/07/08.22:01:28.909837  45.118294  e               
192.168.0.76      406      406       179464        26796
2008/07/08.22:01:33.716226  30.505930  e               
192.168.0.66       64       66         6794         8158
2008/07/08.22:01:33.217032  36.770405  e                
192.168.0.1       28       28         2683         4059
2008/07/08.22:01:34.246290   1.157022  e               
17.148.16.40       13       21         3253         1904
2008/07/08.22:01:33.716480  34.799236  e               
192.168.0.68        4        4          296          296
2008/07/08.22:01:34.241601   0.048145  e             
216.92.197.167        1        2          119          169
2008/07/08.22:01:43.897494   1.000422  e              
192.168.0.255        0        2            0          348

So over another 50 second period, these are the individual hosts that  
interacted with my workstation.
Its almost the same list.  Notice the src and dst pkts, so you can  
tell who is a producer and who is a
consumer of data, relative to my workstation.

I'm sure that you have an "accepatable use policy" and with this  
simple command set you can
tell if one of your customers is providing services to the Internet,  
or is just using services from the
Internet.

What ports is a particular host using?  The assumption is that the  
direction assignments by
argus is correct, and if so, then the dport is the port that the host  
is using.  This port will be
meaningful for some protocols, and for some protocols like p2p, the  
port number will be
arbitrary.  In this case they were all reasonable.

anubis:files carter$ racluster -r argusData -m saddr proto dport \
      -s stime dur flgs saddr proto dport spkts dpkts sbytes dbytes  
state - src host 192.168.0.67

                  StartTime        Dur      Flgs            SrcAddr   
Proto        Dport  SrcPkts  DstPkts     SrcBytes     DstBytes State
2008/07/08.22:18:41.437891   0.105622  e              192.168.0.67     
udp domain              1        1           73          336   CON
2008/07/08.22:19:14.571606   0.000000  e              192.168.0.67     
udp netbios-ns          1        0           92            0   INT
2008/07/08.22:19:09.253597   3.776715  e              192.168.0.67     
udp snmp               21       21         1910         2039   CON
2008/07/08.22:18:46.530803  31.998823  e              192.168.0.67     
udp ipp                 4        0          696            0   INT
2008/07/08.22:18:51.437631   0.000000  e              192.168.0.67     
udp mdns                1        0          225            0   INT
2008/07/08.22:18:34.699255  48.372768  e              192.168.0.67     
tcp http              589      499       100595       669402   RST
2008/07/08.22:19:06.225972   8.691663  e              192.168.0.67     
tcp ldap               11       11         1460          988   CON
2008/07/08.22:18:49.444948  32.001381  e              192.168.0.67     
tcp afpovertcp          7        7          510          526   CON
2008/07/08.22:18:38.373116  45.222675  e              192.168.0.67     
tcp monitor           441      441        29106       214894   CON
2008/07/08.22:18:34.204633   2.369161  e              192.168.0.67     
tcp imaps              11        8         1023         1696   CON


So  192.168.0.67 used domain, netbios-ns, snmp, ipp, mdns, http, ldap,  
afpovertcp, the argus port (monitor)
and imaps.  So looks good.

These are just a simple set of starting commands.  As you start to  
think about this more and more,
a set of background scripts running off of the argus data as it comes  
in in near real-time can provide
you with a lot of information that can help.

Carter

On Jul 8, 2008, at 9:00 PM, Barry Kolts wrote:

> Hi Everyone,
>
> I am new to Argus and have found the mailing list, wiki and C.S.  
> Lee's blogs very informative, but I find myself in the state of  
> "information overload" and need a little guidance.
> I can find the top user with this command that I found in my reading:
>
> racluster -M rmon -m saddr -R <input_dir> -t <start_time>-<end_time>  
> -w - ip | rasort -m bytes -w -  |\
> ra -s saddr sbytes dbytes bytes - net <ip_range>
>
> Now that I know who the top user is, if his usage is high I want to  
> know what he is doing. I would like to know who (what ip) he is  
> talking to, whether he is uploading or downloading files. What  
> destination port he talking to. The purpose of all this is we are a  
> small ISP starting  wireless broadband service to the rural part of  
> our county.  We have to monitor bandwidth like everyone else and if  
> need to know if a heavy user is just downloading a big file or is on  
> a p2p network or just has a virus. I think Argus can provide this  
> information, I just not sure how to do it. I think Argus will help  
> us monitor the overall health of our network and will be very  
> useful. I would like to thank all who make this possible.
>
> Thanks in advance for any help,
> Barry
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20080708/df31bf1f/attachment.html>


More information about the argus mailing list