Top talkers on particular service

Pablo J. Rebollo Pablo.Rebollo at ece.uprm.edu
Tue Mar 4 17:49:47 EST 2008 

Stewart,

What I understad is that you need to select the flows with port 80 and 
443 as destination.

    root at nsm:~# racluster -n -L0 -r argus.2008.03.04.16.15.00 -m proto 
dport  -s proto dport trans pkts bytes - tcp dst port \( 80 or 443 \)
     Proto  Dport  Trans  TotPkts   TotBytes
      tcp 80      11267   443965  387447782
      tcp 443       690    12372    5559044

I'm newbie to argus  so I can be wrong. ;)

Best regards,

Pablo J. Rebollo

Stewart Gray wrote:
> Hi Carter, 
>
> I'm getting drastically different output from the two commands. My old
> rmon query generates data in the following format:
>
> ramon -M Svc -nn -r argus-$DATE.arg - port 80 or 443
> 05 Mar 08 06:24:01  tcp 80               99815    169095    11716369
> 207006588
> 05 Mar 08 06:24:01  tcp 443              24922    26705     4467460
> 17872873
>
> racluster -r argus-$DATE.arg -M rmon -m proto dport - tcp port 80 or 443
> 12:59:01.844654  e          ip            0.0.0.0          <->
> 0.0.0.0           51493   26433582   CON
> 12:59:01.844654  e          ip            0.0.0.0          <->
> 0.0.0.0             124      62776   CON
> 12:59:02.228595  e          ip            0.0.0.0          <->
> 0.0.0.0              42       6650   CON
> 12:59:02.243649  e          ip            0.0.0.0          <->
> 0.0.0.0              42       6668   CON
> 12:59:02.262551  e          ip            0.0.0.0          <->
> 0.0.0.0              42       6626   CON
> 12:59:02.265125  e          ip            0.0.0.0          <->
> 0.0.0.0              42       6634   CON
> 12:59:02.275250  e          ip            0.0.0.0          <->
> 0.0.0.0              42       6692   CON
> 12:59:02.283064  e          ip            0.0.0.0          <->
> 0.0.0.0              42       6662   CON
>
> etc....this presents over 300 results. I'm guessing it's showing each
> connection rather than a summary like I'm after.
>
> Where have I gone wrong?
>
> Cheers, 
>
> Stew
>
> -----Original Message-----
> From: Carter Bullard [mailto:carter at qosient.com] 
> Sent: Wednesday, 5 March 2008 12:22 a.m.
> To: Stewart Gray
> Cc: Pablo J. Rebollo-Sosa; Argus
> Subject: Re: [ARGUS] Top talkers on particular service
>
> Hey Stewart,
> All the tools support the "-M rmon" mode now, so you add that to your
> racluister() call.
>
>   racluster -M rmon -m proto dport
>
> Should be the equivalent. Adding a " - tcp or udp" filter maybe a good
> idea here.
>
> If you have any problems, don't hesitate to send mail!!
>
> Carter
>
> Carter Bullard
> QoSient LLC
> 150 E. 57th Street Suite 12D
> New York, New York 10022
> +1 212 588-9133 Phone
> +1 212 588-9134 Fax
>
> -----Original Message-----
> From: "Stewart Gray" <Stewart.Gray at safecom.co.nz>
>
> Date: Tue, 4 Mar 2008 16:56:44
> To:"Carter Bullard" <carter at qosient.com> Cc:"Pablo J. Rebollo-Sosa"
> <Pablo.Rebollo at ece.uprm.edu>,<argus-info at lists.andrew.cmu.edu>
> Subject: RE: [ARGUS] Top talkers on particular service
>
>
> I figure I may as well do them together in one hit. I've already
> compiled them on another system (same hardware) so should just be a
> matter of copying the binaries over.
>
> Also, has 'ramon' been replaced by another tool? I cant seem to find it
> in the new builds. I use it to graph service distribution in cacti,
> "ramon -M Svc -nn -r argus-$DATE.arg - port 80 or 443". Is there a new
> way to generate the same in 3.0 ?
>
> Cheers, 
>
> Stewart
>
> -----Original Message-----
> From: Carter Bullard [mailto:carter at qosient.com] 
> Sent: Tuesday, 4 March 2008 4:48 p.m.
> To: Stewart Gray
> Cc: Pablo J. Rebollo-Sosa; argus-info at lists.andrew.cmu.edu
> Subject: Re: [ARGUS] Top talkers on particular service
>
> Hey Stewart,
> You don't have to upgrade your argus, just the client programs.
> The new clients can read argus-2.x data fine.
>
> Carter
>
>
>
>
>
> On Mar 3, 2008, at 7:42 PM, Stewart Gray wrote:
>
>   
>> I'm actually still running argus 2.0.6 on the machine in question, I 
>> guess I have to upgrade first to use racluster :)
>>
>> Thanks for the command, i'll give it a crack this evening.
>>
>> Cheers,
>>
>> Stewart
>>
>> -----Original Message-----
>> From: Pablo J. Rebollo-Sosa [mailto:Pablo.Rebollo at ece.uprm.edu]
>> Sent: Tuesday, 4 March 2008 10:08 a.m.
>> To: Stewart Gray
>> Cc: argus-info at lists.andrew.cmu.edu
>> Subject: Re: [ARGUS] Top talkers on particular service
>>
>> Stew,
>>
>> You could try the following.
>>
>> racluster -r argus.* -M rmon -m saddr  -w - - port https | rasort -m 
>> bytes -w - | ra -N 20 -s saddr trans:10 sbytes:14 dbytes:14 bytes:14
>>
>> Best regards,
>>
>> Pablo J. Rebollo
>>
>> Stewart Gray wrote:
>>     
>>> Hey Guys,
>>>
>>> A simply question im sure. How do you get a list of top talkers for a
>>>       
>
>   
>>> particular service. In real terms, I'm seeing a large spike in https 
>>> traffic and I'd like to know who is generating the traffic. I've 
>>> played with 'ramon -M Matrix' but I'm only interested in the src 
>>> addresses initially. Once i've determine the top talker it'd be good 
>>> to drill it down to find what it's talking to.
>>>
>>> Have you considering putting an argus cheat sheet of sorts on your
>>>       
>> page?
>>     
>>> It could cover a bunch of argus tool usage examples. It'd be useful 
>>> for these sorts of queries :)
>>>
>>> Thanks,
>>>
>>> Stew
>>> #####################################################################
>>> #
>>> ###############
>>> Important: This electronic message and attachments (if any) are 
>>> confidential and may be legally privileged. If you are not the 
>>> intended recipient do not copy, disclose or use the contents in any 
>>> way. Please let us know by return e-mail immediately and then destroy
>>>       
>> this message.
>>     
>>> #####################################################################
>>> #
>>> ###############
>>>       
>> ######################################################################
>> ###############
>> Important: This electronic message and attachments (if any) are 
>> confidential and may be legally privileged. If you are not the 
>> intended recipient do not copy, disclose or use the contents in any 
>> way. Please let us know by return e-mail immediately and then destroy 
>> this message.
>> ######################################################################
>> ###############
>>
>>     
>
> ########################################################################
> #############
> Important: This electronic message and attachments (if any) are
> confidential
> and may be legally privileged. If you are not the intended recipient do
> not
> copy, disclose or use the contents in any way. Please let us know by
> return
> e-mail immediately and then destroy this message.
> ########################################################################
> #############
>
> #####################################################################################
> Important: This electronic message and attachments (if any) are confidential
> and may be legally privileged. If you are not the intended recipient do not
> copy, disclose or use the contents in any way. Please let us know by return
> e-mail immediately and then destroy this message.
> #####################################################################################
>

More information about the argus mailing list