Top talkers on particular service
Carter Bullard
carter at qosient.com
Tue Mar 4 18:53:16 EST 2008
Hey Stewart,
I should have been more detailed, sorry!!! Pablo's example works
very well for getting flows that are well formed, where the dst ports
reflect the service ports.
When the records are not well formed, you need the "-M rmon" option
to make the records direction-less. Because of the direction-less nature
you can use "dport" or "sport" as the merge key, but you have to be
consistent,
as you will need to pipe the output to ra() to select the ports you're
interested in:
racluster -M rmon -r argus.file -m proto dport -w - | \
ra -L 0 -s stime dur proto dport spkts dpkts sbytes dbytes - port 80
or 443
This is what ramon() was doing, and I can recreate the program a shell
script if
it makes is easier.
Carter
Stewart Gray wrote:
> Hi Carter,
>
> I'm getting drastically different output from the two commands. My old
> rmon query generates data in the following format:
>
> ramon -M Svc -nn -r argus-$DATE.arg - port 80 or 443
> 05 Mar 08 06:24:01 tcp 80 99815 169095 11716369
> 207006588
> 05 Mar 08 06:24:01 tcp 443 24922 26705 4467460
> 17872873
>
> racluster -r argus-$DATE.arg -M rmon -m proto dport - tcp port 80 or 443
> 12:59:01.844654 e ip 0.0.0.0 <->
> 0.0.0.0 51493 26433582 CON
> 12:59:01.844654 e ip 0.0.0.0 <->
> 0.0.0.0 124 62776 CON
> 12:59:02.228595 e ip 0.0.0.0 <->
> 0.0.0.0 42 6650 CON
> 12:59:02.243649 e ip 0.0.0.0 <->
> 0.0.0.0 42 6668 CON
> 12:59:02.262551 e ip 0.0.0.0 <->
> 0.0.0.0 42 6626 CON
> 12:59:02.265125 e ip 0.0.0.0 <->
> 0.0.0.0 42 6634 CON
> 12:59:02.275250 e ip 0.0.0.0 <->
> 0.0.0.0 42 6692 CON
> 12:59:02.283064 e ip 0.0.0.0 <->
> 0.0.0.0 42 6662 CON
>
> etc....this presents over 300 results. I'm guessing it's showing each
> connection rather than a summary like I'm after.
>
> Where have I gone wrong?
>
> Cheers,
>
> Stew
>
> -----Original Message-----
> From: Carter Bullard [mailto:carter at qosient.com]
> Sent: Wednesday, 5 March 2008 12:22 a.m.
> To: Stewart Gray
> Cc: Pablo J. Rebollo-Sosa; Argus
> Subject: Re: [ARGUS] Top talkers on particular service
>
> Hey Stewart,
> All the tools support the "-M rmon" mode now, so you add that to your
> racluister() call.
>
> racluster -M rmon -m proto dport
>
> Should be the equivalent. Adding a " - tcp or udp" filter maybe a good
> idea here.
>
> If you have any problems, don't hesitate to send mail!!
>
> Carter
>
> Carter Bullard
> QoSient LLC
> 150 E. 57th Street Suite 12D
> New York, New York 10022
> +1 212 588-9133 Phone
> +1 212 588-9134 Fax
>
> -----Original Message-----
> From: "Stewart Gray" <Stewart.Gray at safecom.co.nz>
>
> Date: Tue, 4 Mar 2008 16:56:44
> To:"Carter Bullard" <carter at qosient.com> Cc:"Pablo J. Rebollo-Sosa"
> <Pablo.Rebollo at ece.uprm.edu>,<argus-info at lists.andrew.cmu.edu>
> Subject: RE: [ARGUS] Top talkers on particular service
>
>
> I figure I may as well do them together in one hit. I've already
> compiled them on another system (same hardware) so should just be a
> matter of copying the binaries over.
>
> Also, has 'ramon' been replaced by another tool? I cant seem to find it
> in the new builds. I use it to graph service distribution in cacti,
> "ramon -M Svc -nn -r argus-$DATE.arg - port 80 or 443". Is there a new
> way to generate the same in 3.0 ?
>
> Cheers,
>
> Stewart
>
> -----Original Message-----
> From: Carter Bullard [mailto:carter at qosient.com]
> Sent: Tuesday, 4 March 2008 4:48 p.m.
> To: Stewart Gray
> Cc: Pablo J. Rebollo-Sosa; argus-info at lists.andrew.cmu.edu
> Subject: Re: [ARGUS] Top talkers on particular service
>
> Hey Stewart,
> You don't have to upgrade your argus, just the client programs.
> The new clients can read argus-2.x data fine.
>
> Carter
>
>
>
>
>
> On Mar 3, 2008, at 7:42 PM, Stewart Gray wrote:
>
>
>> I'm actually still running argus 2.0.6 on the machine in question, I
>> guess I have to upgrade first to use racluster :)
>>
>> Thanks for the command, i'll give it a crack this evening.
>>
>> Cheers,
>>
>> Stewart
>>
>> -----Original Message-----
>> From: Pablo J. Rebollo-Sosa [mailto:Pablo.Rebollo at ece.uprm.edu]
>> Sent: Tuesday, 4 March 2008 10:08 a.m.
>> To: Stewart Gray
>> Cc: argus-info at lists.andrew.cmu.edu
>> Subject: Re: [ARGUS] Top talkers on particular service
>>
>> Stew,
>>
>> You could try the following.
>>
>> racluster -r argus.* -M rmon -m saddr -w - - port https | rasort -m
>> bytes -w - | ra -N 20 -s saddr trans:10 sbytes:14 dbytes:14 bytes:14
>>
>> Best regards,
>>
>> Pablo J. Rebollo
>>
>> Stewart Gray wrote:
>>
>>> Hey Guys,
>>>
>>> A simply question im sure. How do you get a list of top talkers for a
>>>
>
>
>>> particular service. In real terms, I'm seeing a large spike in https
>>> traffic and I'd like to know who is generating the traffic. I've
>>> played with 'ramon -M Matrix' but I'm only interested in the src
>>> addresses initially. Once i've determine the top talker it'd be good
>>> to drill it down to find what it's talking to.
>>>
>>> Have you considering putting an argus cheat sheet of sorts on your
>>>
>> page?
>>
>>> It could cover a bunch of argus tool usage examples. It'd be useful
>>> for these sorts of queries :)
>>>
>>> Thanks,
>>>
>>> Stew
>>> #####################################################################
>>> #
>>> ###############
>>> Important: This electronic message and attachments (if any) are
>>> confidential and may be legally privileged. If you are not the
>>> intended recipient do not copy, disclose or use the contents in any
>>> way. Please let us know by return e-mail immediately and then destroy
>>>
>> this message.
>>
>>> #####################################################################
>>> #
>>> ###############
>>>
>> ######################################################################
>> ###############
>> Important: This electronic message and attachments (if any) are
>> confidential and may be legally privileged. If you are not the
>> intended recipient do not copy, disclose or use the contents in any
>> way. Please let us know by return e-mail immediately and then destroy
>> this message.
>> ######################################################################
>> ###############
>>
>>
>
> ########################################################################
> #############
> Important: This electronic message and attachments (if any) are
> confidential
> and may be legally privileged. If you are not the intended recipient do
> not
> copy, disclose or use the contents in any way. Please let us know by
> return
> e-mail immediately and then destroy this message.
> ########################################################################
> #############
>
> #####################################################################################
> Important: This electronic message and attachments (if any) are confidential
> and may be legally privileged. If you are not the intended recipient do not
> copy, disclose or use the contents in any way. Please let us know by return
> e-mail immediately and then destroy this message.
> #####################################################################################
>
>
More information about the argus
mailing list