Top talkers on particular service
Stewart Gray
Stewart.Gray at safecom.co.nz
Tue Mar 4 16:04:33 EST 2008
Hi Carter,
I'm getting drastically different output from the two commands. My old
rmon query generates data in the following format:
ramon -M Svc -nn -r argus-$DATE.arg - port 80 or 443
05 Mar 08 06:24:01 tcp 80 99815 169095 11716369
207006588
05 Mar 08 06:24:01 tcp 443 24922 26705 4467460
17872873
racluster -r argus-$DATE.arg -M rmon -m proto dport - tcp port 80 or 443
12:59:01.844654 e ip 0.0.0.0 <->
0.0.0.0 51493 26433582 CON
12:59:01.844654 e ip 0.0.0.0 <->
0.0.0.0 124 62776 CON
12:59:02.228595 e ip 0.0.0.0 <->
0.0.0.0 42 6650 CON
12:59:02.243649 e ip 0.0.0.0 <->
0.0.0.0 42 6668 CON
12:59:02.262551 e ip 0.0.0.0 <->
0.0.0.0 42 6626 CON
12:59:02.265125 e ip 0.0.0.0 <->
0.0.0.0 42 6634 CON
12:59:02.275250 e ip 0.0.0.0 <->
0.0.0.0 42 6692 CON
12:59:02.283064 e ip 0.0.0.0 <->
0.0.0.0 42 6662 CON
etc....this presents over 300 results. I'm guessing it's showing each
connection rather than a summary like I'm after.
Where have I gone wrong?
Cheers,
Stew
-----Original Message-----
From: Carter Bullard [mailto:carter at qosient.com]
Sent: Wednesday, 5 March 2008 12:22 a.m.
To: Stewart Gray
Cc: Pablo J. Rebollo-Sosa; Argus
Subject: Re: [ARGUS] Top talkers on particular service
Hey Stewart,
All the tools support the "-M rmon" mode now, so you add that to your
racluister() call.
racluster -M rmon -m proto dport
Should be the equivalent. Adding a " - tcp or udp" filter maybe a good
idea here.
If you have any problems, don't hesitate to send mail!!
Carter
Carter Bullard
QoSient LLC
150 E. 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax
-----Original Message-----
From: "Stewart Gray" <Stewart.Gray at safecom.co.nz>
Date: Tue, 4 Mar 2008 16:56:44
To:"Carter Bullard" <carter at qosient.com> Cc:"Pablo J. Rebollo-Sosa"
<Pablo.Rebollo at ece.uprm.edu>,<argus-info at lists.andrew.cmu.edu>
Subject: RE: [ARGUS] Top talkers on particular service
I figure I may as well do them together in one hit. I've already
compiled them on another system (same hardware) so should just be a
matter of copying the binaries over.
Also, has 'ramon' been replaced by another tool? I cant seem to find it
in the new builds. I use it to graph service distribution in cacti,
"ramon -M Svc -nn -r argus-$DATE.arg - port 80 or 443". Is there a new
way to generate the same in 3.0 ?
Cheers,
Stewart
-----Original Message-----
From: Carter Bullard [mailto:carter at qosient.com]
Sent: Tuesday, 4 March 2008 4:48 p.m.
To: Stewart Gray
Cc: Pablo J. Rebollo-Sosa; argus-info at lists.andrew.cmu.edu
Subject: Re: [ARGUS] Top talkers on particular service
Hey Stewart,
You don't have to upgrade your argus, just the client programs.
The new clients can read argus-2.x data fine.
Carter
On Mar 3, 2008, at 7:42 PM, Stewart Gray wrote:
> I'm actually still running argus 2.0.6 on the machine in question, I
> guess I have to upgrade first to use racluster :)
>
> Thanks for the command, i'll give it a crack this evening.
>
> Cheers,
>
> Stewart
>
> -----Original Message-----
> From: Pablo J. Rebollo-Sosa [mailto:Pablo.Rebollo at ece.uprm.edu]
> Sent: Tuesday, 4 March 2008 10:08 a.m.
> To: Stewart Gray
> Cc: argus-info at lists.andrew.cmu.edu
> Subject: Re: [ARGUS] Top talkers on particular service
>
> Stew,
>
> You could try the following.
>
> racluster -r argus.* -M rmon -m saddr -w - - port https | rasort -m
> bytes -w - | ra -N 20 -s saddr trans:10 sbytes:14 dbytes:14 bytes:14
>
> Best regards,
>
> Pablo J. Rebollo
>
> Stewart Gray wrote:
>> Hey Guys,
>>
>> A simply question im sure. How do you get a list of top talkers for a
>> particular service. In real terms, I'm seeing a large spike in https
>> traffic and I'd like to know who is generating the traffic. I've
>> played with 'ramon -M Matrix' but I'm only interested in the src
>> addresses initially. Once i've determine the top talker it'd be good
>> to drill it down to find what it's talking to.
>>
>> Have you considering putting an argus cheat sheet of sorts on your
> page?
>> It could cover a bunch of argus tool usage examples. It'd be useful
>> for these sorts of queries :)
>>
>> Thanks,
>>
>> Stew
>> #####################################################################
>> #
>> ###############
>> Important: This electronic message and attachments (if any) are
>> confidential and may be legally privileged. If you are not the
>> intended recipient do not copy, disclose or use the contents in any
>> way. Please let us know by return e-mail immediately and then destroy
> this message.
>> #####################################################################
>> #
>> ###############
> ######################################################################
> ###############
> Important: This electronic message and attachments (if any) are
> confidential and may be legally privileged. If you are not the
> intended recipient do not copy, disclose or use the contents in any
> way. Please let us know by return e-mail immediately and then destroy
> this message.
> ######################################################################
> ###############
>
########################################################################
#############
Important: This electronic message and attachments (if any) are
confidential
and may be legally privileged. If you are not the intended recipient do
not
copy, disclose or use the contents in any way. Please let us know by
return
e-mail immediately and then destroy this message.
########################################################################
#############
#####################################################################################
Important: This electronic message and attachments (if any) are confidential
and may be legally privileged. If you are not the intended recipient do not
copy, disclose or use the contents in any way. Please let us know by return
e-mail immediately and then destroy this message.
#####################################################################################
More information about the argus
mailing list