Top talkers on particular service

Carter Bullard carter at qosient.com
Tue Mar 4 06:22:17 EST 2008 

Hey Stewart,
All the tools support the "-M rmon" mode now, so you add that to your racluister() call.

  racluster -M rmon -m proto dport

Should be the equivalent. Adding a " - tcp or udp" filter maybe a good idea here.

If you have any problems, don't hesitate to send mail!!

Carter

Carter Bullard
QoSient LLC
150 E. 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax

-----Original Message-----
From: "Stewart Gray" <Stewart.Gray at safecom.co.nz>

Date: Tue, 4 Mar 2008 16:56:44 
To:"Carter Bullard" <carter at qosient.com>
Cc:"Pablo J. Rebollo-Sosa" <Pablo.Rebollo at ece.uprm.edu>,<argus-info at lists.andrew.cmu.edu>
Subject: RE: [ARGUS] Top talkers on particular service


I figure I may as well do them together in one hit. I've already
compiled them on another system (same hardware) so should just be a
matter of copying the binaries over.

Also, has 'ramon' been replaced by another tool? I cant seem to find it
in the new builds. I use it to graph service distribution in cacti,
"ramon -M Svc -nn -r argus-$DATE.arg - port 80 or 443". Is there a new
way to generate the same in 3.0 ?

Cheers, 

Stewart

-----Original Message-----
From: Carter Bullard [mailto:carter at qosient.com] 
Sent: Tuesday, 4 March 2008 4:48 p.m.
To: Stewart Gray
Cc: Pablo J. Rebollo-Sosa; argus-info at lists.andrew.cmu.edu
Subject: Re: [ARGUS] Top talkers on particular service

Hey Stewart,
You don't have to upgrade your argus, just the client programs.
The new clients can read argus-2.x data fine.

Carter





On Mar 3, 2008, at 7:42 PM, Stewart Gray wrote:

> I'm actually still running argus 2.0.6 on the machine in question, I 
> guess I have to upgrade first to use racluster :)
>
> Thanks for the command, i'll give it a crack this evening.
>
> Cheers,
>
> Stewart
>
> -----Original Message-----
> From: Pablo J. Rebollo-Sosa [mailto:Pablo.Rebollo at ece.uprm.edu]
> Sent: Tuesday, 4 March 2008 10:08 a.m.
> To: Stewart Gray
> Cc: argus-info at lists.andrew.cmu.edu
> Subject: Re: [ARGUS] Top talkers on particular service
>
> Stew,
>
> You could try the following.
>
> racluster -r argus.* -M rmon -m saddr  -w - - port https | rasort -m 
> bytes -w - | ra -N 20 -s saddr trans:10 sbytes:14 dbytes:14 bytes:14
>
> Best regards,
>
> Pablo J. Rebollo
>
> Stewart Gray wrote:
>> Hey Guys,
>>
>> A simply question im sure. How do you get a list of top talkers for a

>> particular service. In real terms, I'm seeing a large spike in https 
>> traffic and I'd like to know who is generating the traffic. I've 
>> played with 'ramon -M Matrix' but I'm only interested in the src 
>> addresses initially. Once i've determine the top talker it'd be good 
>> to drill it down to find what it's talking to.
>>
>> Have you considering putting an argus cheat sheet of sorts on your
> page?
>> It could cover a bunch of argus tool usage examples. It'd be useful 
>> for these sorts of queries :)
>>
>> Thanks,
>>
>> Stew
>> #####################################################################
>> #
>> ###############
>> Important: This electronic message and attachments (if any) are 
>> confidential and may be legally privileged. If you are not the 
>> intended recipient do not copy, disclose or use the contents in any 
>> way. Please let us know by return e-mail immediately and then destroy
> this message.
>> #####################################################################
>> #
>> ###############
> ######################################################################
> ###############
> Important: This electronic message and attachments (if any) are 
> confidential and may be legally privileged. If you are not the 
> intended recipient do not copy, disclose or use the contents in any 
> way. Please let us know by return e-mail immediately and then destroy 
> this message.
> ######################################################################
> ###############
>

#####################################################################################
Important: This electronic message and attachments (if any) are confidential
and may be legally privileged. If you are not the intended recipient do not
copy, disclose or use the contents in any way. Please let us know by return
e-mail immediately and then destroy this message.
#####################################################################################

More information about the argus mailing list