Top talkers on particular service

[ScottO]

Hi Stew,

I do something similar that you could modify.  First I process the file
through racluster via saddr:

/usr/local/bin/racluster -r $directory/$argus_file -M rmon -m saddr -w
/tmp/a1temp_cluster.out - ip

Then I take the resulting file and do various things with it, one being just
tallying up total traffic bytes:

/usr/local/bin/rasort -r /tmp/a1temp_cluster.out -m bytes -w - - net
'$home_net' | /usr/local/bin/ra -N 20 -s saddr bytes:14 sbytes:14 dbytes:14

This above gives a nice list of top talkers, total traffic wise.  You could
bpf the port(s) you want out of it.

Hope that helps,

Scott

On Mon, Mar 3, 2008 at 3:43 PM, Stewart Gray <Stewart.Gray at safecom.co.nz>
wrote:

>  Hey Guys,
>
> A simply question im sure. How do you get a list of top talkers for a
> particular service. In real terms, I'm seeing a large spike in https traffic
> and I'd like to know who is generating the traffic. I've played with 'ramon
> -M Matrix' but I'm only interested in the src addresses initially. Once i've
> determine the top talker it'd be good to drill it down to find what it's
> talking to.
>
> Have you considering putting an argus cheat sheet of sorts on your page?
> It could cover a bunch of argus tool usage examples. It'd be useful for
> these sorts of queries :)
>
> Thanks,
>
> Stew
>
> #####################################################################################
> Important: This electronic message and attachments (if any) are
> confidential and may be legally privileged. If you are not the intended
> recipient do not copy, disclose or use the contents in any way. Please let
> us know by return e-mail immediately and then destroy this message.
>
> #####################################################################################
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20080303/cd5fa43d/attachment.html>