Determining what a user is doing
Carter Bullard
carter at qosient.com
Tue Jul 8 22:54:37 EDT 2008
Hey Barry,
You are starting to get into what argus is all about, so I think that
is great!!!
Each of the questions you are asking are really just different views
of the data,
and racluster() is the starting point for answers to many of your
questions.
This is not the only tool, but its the first one that I would suggest
that you pay attention to.
So lets look at the first question on your list:
1. Who is the top talker talking to.
There are only a few things that you need to specify before you can
tackle this
problem. The first is when. All views into network activity data
need to be
bounded in time, so lets say we're interested in this morning between
10 am
and 12 noon. This is all we need to answer who. I'll assume the data
we
are going to be analyzing is in the file argusData, and that our top
talker
is x.y.z.w.
racluster -m saddr daddr -r argusData -t 10-12 \
-s stime dur flgs saddr daddr spkts dpkts sbytes dbytes state \
- host x.y.z.w
Now, the trick to the whole analysis is the "-m saddr daddr" option to
racluster.
This is saying
"merge records together that have the same src address and dst
address"
The resulting data set are all the X -> Y's, where your host x.y.z.w is
involved. An example of the output you will get is something like:
anubis:files carter$ racluster -m saddr daddr -S localhost -N 50 -s
stime dur flgs saddr dir daddr spkts dpkts sbytes dbytes - host
192.168.0.67
StartTime Dur Flgs SrcAddr
Dir DstAddr SrcPkts DstPkts SrcBytes DstBytes
2008/07/08.21:57:34.492027 30.568201 e 192.168.0.1 <-
> 192.168.0.67 27 27 2591 3752
2008/07/08.21:57:34.255124 1.172060 e 192.168.0.67 <-
> 17.148.16.40 21 12 1904 3187
2008/07/08.21:58:00.181514 5.676227 e 192.168.0.67 <-
> 192.168.0.66 14 14 1463 1529
2008/07/08.21:57:52.536502 13.260313 e 192.168.0.67 <-
> 192.168.0.68 29 28 3297 3120
2008/07/08.21:57:35.453208 35.455856 e 192.168.0.67 <-
> 192.168.0.76 371 371 24486 164522
2008/07/08.21:57:35.907764 1.000130 e 192.168.0.67 -
> 192.168.0.255 2 0 348 0
2008/07/08.21:57:34.254925 32.211288 e 192.168.0.67 <-
> 216.92.197.167 67 41 11824 14934
2008/07/08.21:58:05.657226 0.100227 e 192.168.0.67 -
> 224.0.0.251 2 0 182 0
So these are all the machines that interacted with one of my
workstations over a period
of say 35 seconds, just now. If I was interested in just the list of
machines that talked
to my machine, I would do this:
anubis:files carter$ racluster -m saddr -M rmon -S localhost -N 50 -w
- - host 192.168.0.67 | \
rasort -m pkts -s stime dur flgs saddr spkts dpkts sbytes
dbytes - not src host 192.168.0.67
StartTime Dur Flgs SrcAddr
SrcPkts DstPkts SrcBytes DstBytes
2008/07/08.22:01:28.909837 45.118294 e
192.168.0.76 406 406 179464 26796
2008/07/08.22:01:33.716226 30.505930 e
192.168.0.66 64 66 6794 8158
2008/07/08.22:01:33.217032 36.770405 e
192.168.0.1 28 28 2683 4059
2008/07/08.22:01:34.246290 1.157022 e
17.148.16.40 13 21 3253 1904
2008/07/08.22:01:33.716480 34.799236 e
192.168.0.68 4 4 296 296
2008/07/08.22:01:34.241601 0.048145 e
216.92.197.167 1 2 119 169
2008/07/08.22:01:43.897494 1.000422 e
192.168.0.255 0 2 0 348
So over another 50 second period, these are the individual hosts that
interacted with my workstation.
Its almost the same list. Notice the src and dst pkts, so you can
tell who is a producer and who is a
consumer of data, relative to my workstation.
I'm sure that you have an "accepatable use policy" and with this
simple command set you can
tell if one of your customers is providing services to the Internet,
or is just using services from the
Internet.
What ports is a particular host using? The assumption is that the
direction assignments by
argus is correct, and if so, then the dport is the port that the host
is using. This port will be
meaningful for some protocols, and for some protocols like p2p, the
port number will be
arbitrary. In this case they were all reasonable.
anubis:files carter$ racluster -r argusData -m saddr proto dport \
-s stime dur flgs saddr proto dport spkts dpkts sbytes dbytes
state - src host 192.168.0.67
StartTime Dur Flgs SrcAddr
Proto Dport SrcPkts DstPkts SrcBytes DstBytes State
2008/07/08.22:18:41.437891 0.105622 e 192.168.0.67
udp domain 1 1 73 336 CON
2008/07/08.22:19:14.571606 0.000000 e 192.168.0.67
udp netbios-ns 1 0 92 0 INT
2008/07/08.22:19:09.253597 3.776715 e 192.168.0.67
udp snmp 21 21 1910 2039 CON
2008/07/08.22:18:46.530803 31.998823 e 192.168.0.67
udp ipp 4 0 696 0 INT
2008/07/08.22:18:51.437631 0.000000 e 192.168.0.67
udp mdns 1 0 225 0 INT
2008/07/08.22:18:34.699255 48.372768 e 192.168.0.67
tcp http 589 499 100595 669402 RST
2008/07/08.22:19:06.225972 8.691663 e 192.168.0.67
tcp ldap 11 11 1460 988 CON
2008/07/08.22:18:49.444948 32.001381 e 192.168.0.67
tcp afpovertcp 7 7 510 526 CON
2008/07/08.22:18:38.373116 45.222675 e 192.168.0.67
tcp monitor 441 441 29106 214894 CON
2008/07/08.22:18:34.204633 2.369161 e 192.168.0.67
tcp imaps 11 8 1023 1696 CON
So 192.168.0.67 used domain, netbios-ns, snmp, ipp, mdns, http, ldap,
afpovertcp, the argus port (monitor)
and imaps. So looks good.
These are just a simple set of starting commands. As you start to
think about this more and more,
a set of background scripts running off of the argus data as it comes
in in near real-time can provide
you with a lot of information that can help.
Carter
On Jul 8, 2008, at 9:00 PM, Barry Kolts wrote:
> Hi Everyone,
>
> I am new to Argus and have found the mailing list, wiki and C.S.
> Lee's blogs very informative, but I find myself in the state of
> "information overload" and need a little guidance.
> I can find the top user with this command that I found in my reading:
>
> racluster -M rmon -m saddr -R <input_dir> -t <start_time>-<end_time>
> -w - ip | rasort -m bytes -w - |\
> ra -s saddr sbytes dbytes bytes - net <ip_range>
>
> Now that I know who the top user is, if his usage is high I want to
> know what he is doing. I would like to know who (what ip) he is
> talking to, whether he is uploading or downloading files. What
> destination port he talking to. The purpose of all this is we are a
> small ISP starting wireless broadband service to the rural part of
> our county. We have to monitor bandwidth like everyone else and if
> need to know if a heavy user is just downloading a big file or is on
> a p2p network or just has a virus. I think Argus can provide this
> information, I just not sure how to do it. I think Argus will help
> us monitor the overall health of our network and will be very
> useful. I would like to thank all who make this possible.
>
> Thanks in advance for any help,
> Barry
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20080708/df31bf1f/attachment.html>
More information about the argus
mailing list