Top talkers on particular service

Stewart Gray Stewart.Gray at safecom.co.nz
Thu Mar 6 20:32:32 EST 2008


awesome, that's more like what I was after :) Thanks for your help
again. 

As I mentioned earlier, I reckon it'd be neat to have some sort of cheat
sheet for doing common tasks. I bet there's lot's of stuff you know that
others don't, having written the application yourself. I don't know what
I don't know!

-----Original Message-----
From: Carter Bullard [mailto:carter at qosient.com] 
Sent: Thursday, 6 March 2008 2:00 a.m.
To: Carter Bullard; argus-info-bounces at lists.andrew.cmu.edu; Stewart
Gray
Cc: Pablo J. Rebollo-Sosa; Argus
Subject: Re: [ARGUS] Top talkers on particular service

Hey Stewart,
I need to read my own mail more often, I made a mistake on the command.
In the selection filter, because we merged on the dport, you need to
filter on the "dst port".

So instead of this:
>    racluster -M rmon -r argus.file -m proto dport -w - | \
>   ra -L 0 -s stime dur proto dport spkts dpkts sbytes dbytes - port 80
or 443

It should be:

   racluster -M rmon -r argus.file -m proto dport -w - | \
   ra -L 0 -s stime dur proto dport spkts dpkts sbytes dbytes - dst port
80 
or 443


rmon mode basically duplicates the records, swapping the direction
sensitive fields, and in the process it generates double the data.
Depending on the mode of operation, the bad command could return lines
with unintended port number values.

Carter


Carter Bullard
QoSient LLC
150 E. 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax

-----Original Message-----
From: Carter Bullard <carter at qosient.com>

Date: Tue, 04 Mar 2008 18:53:16 
To:Stewart Gray <Stewart.Gray at safecom.co.nz>
Cc:"Pablo J. Rebollo-Sosa" <Pablo.Rebollo at ece.uprm.edu>,       Argus
<argus-info at lists.andrew.cmu.edu>
Subject: Re: [ARGUS] Top talkers on particular service


Hey Stewart,
I should have been more detailed, sorry!!!  Pablo's example works
very well for getting flows that are well formed, where the dst ports
reflect the service ports.

When the records are not well formed, you need the "-M rmon" option
to make the records direction-less.  Because of the direction-less
nature
you can use "dport" or "sport" as the merge key, but you have to be 
consistent,
as you will need to pipe the output to ra() to select the ports you're 
interested in:

   racluster -M rmon -r argus.file -m proto dport -w - | \
   ra -L 0 -s stime dur proto dport spkts dpkts sbytes dbytes - port 80 
or 443

This is what ramon() was doing, and I can recreate the program a shell 
script if
it makes is easier.

Carter

Stewart Gray wrote:
> Hi Carter, 
>
> I'm getting drastically different output from the two commands. My old
> rmon query generates data in the following format:
>
> ramon -M Svc -nn -r argus-$DATE.arg - port 80 or 443
> 05 Mar 08 06:24:01  tcp 80               99815    169095    11716369
> 207006588
> 05 Mar 08 06:24:01  tcp 443              24922    26705     4467460
> 17872873
>
> racluster -r argus-$DATE.arg -M rmon -m proto dport - tcp port 80 or
443
> 12:59:01.844654  e          ip            0.0.0.0          <->
> 0.0.0.0           51493   26433582   CON
> 12:59:01.844654  e          ip            0.0.0.0          <->
> 0.0.0.0             124      62776   CON
> 12:59:02.228595  e          ip            0.0.0.0          <->
> 0.0.0.0              42       6650   CON
> 12:59:02.243649  e          ip            0.0.0.0          <->
> 0.0.0.0              42       6668   CON
> 12:59:02.262551  e          ip            0.0.0.0          <->
> 0.0.0.0              42       6626   CON
> 12:59:02.265125  e          ip            0.0.0.0          <->
> 0.0.0.0              42       6634   CON
> 12:59:02.275250  e          ip            0.0.0.0          <->
> 0.0.0.0              42       6692   CON
> 12:59:02.283064  e          ip            0.0.0.0          <->
> 0.0.0.0              42       6662   CON
>
> etc....this presents over 300 results. I'm guessing it's showing each
> connection rather than a summary like I'm after.
>
> Where have I gone wrong?
>
> Cheers, 
>
> Stew
>
> -----Original Message-----
> From: Carter Bullard [mailto:carter at qosient.com] 
> Sent: Wednesday, 5 March 2008 12:22 a.m.
> To: Stewart Gray
> Cc: Pablo J. Rebollo-Sosa; Argus
> Subject: Re: [ARGUS] Top talkers on particular service
>
> Hey Stewart,
> All the tools support the "-M rmon" mode now, so you add that to your
> racluister() call.
>
>   racluster -M rmon -m proto dport
>
> Should be the equivalent. Adding a " - tcp or udp" filter maybe a good
> idea here.
>
> If you have any problems, don't hesitate to send mail!!
>
> Carter
>
> Carter Bullard
> QoSient LLC
> 150 E. 57th Street Suite 12D
> New York, New York 10022
> +1 212 588-9133 Phone
> +1 212 588-9134 Fax
>
> -----Original Message-----
> From: "Stewart Gray" <Stewart.Gray at safecom.co.nz>
>
> Date: Tue, 4 Mar 2008 16:56:44
> To:"Carter Bullard" <carter at qosient.com> Cc:"Pablo J. Rebollo-Sosa"
> <Pablo.Rebollo at ece.uprm.edu>,<argus-info at lists.andrew.cmu.edu>
> Subject: RE: [ARGUS] Top talkers on particular service
>
>
> I figure I may as well do them together in one hit. I've already
> compiled them on another system (same hardware) so should just be a
> matter of copying the binaries over.
>
> Also, has 'ramon' been replaced by another tool? I cant seem to find
it
> in the new builds. I use it to graph service distribution in cacti,
> "ramon -M Svc -nn -r argus-$DATE.arg - port 80 or 443". Is there a new
> way to generate the same in 3.0 ?
>
> Cheers, 
>
> Stewart
>
> -----Original Message-----
> From: Carter Bullard [mailto:carter at qosient.com] 
> Sent: Tuesday, 4 March 2008 4:48 p.m.
> To: Stewart Gray
> Cc: Pablo J. Rebollo-Sosa; argus-info at lists.andrew.cmu.edu
> Subject: Re: [ARGUS] Top talkers on particular service
>
> Hey Stewart,
> You don't have to upgrade your argus, just the client programs.
> The new clients can read argus-2.x data fine.
>
> Carter
>
>
>
>
>
> On Mar 3, 2008, at 7:42 PM, Stewart Gray wrote:
>
>   
>> I'm actually still running argus 2.0.6 on the machine in question, I 
>> guess I have to upgrade first to use racluster :)
>>
>> Thanks for the command, i'll give it a crack this evening.
>>
>> Cheers,
>>
>> Stewart
>>
>> -----Original Message-----
>> From: Pablo J. Rebollo-Sosa [mailto:Pablo.Rebollo at ece.uprm.edu]
>> Sent: Tuesday, 4 March 2008 10:08 a.m.
>> To: Stewart Gray
>> Cc: argus-info at lists.andrew.cmu.edu
>> Subject: Re: [ARGUS] Top talkers on particular service
>>
>> Stew,
>>
>> You could try the following.
>>
>> racluster -r argus.* -M rmon -m saddr  -w - - port https | rasort -m 
>> bytes -w - | ra -N 20 -s saddr trans:10 sbytes:14 dbytes:14 bytes:14
>>
>> Best regards,
>>
>> Pablo J. Rebollo
>>
>> Stewart Gray wrote:
>>     
>>> Hey Guys,
>>>
>>> A simply question im sure. How do you get a list of top talkers for
a
>>>       
>
>   
>>> particular service. In real terms, I'm seeing a large spike in https

>>> traffic and I'd like to know who is generating the traffic. I've 
>>> played with 'ramon -M Matrix' but I'm only interested in the src 
>>> addresses initially. Once i've determine the top talker it'd be good

>>> to drill it down to find what it's talking to.
>>>
>>> Have you considering putting an argus cheat sheet of sorts on your
>>>       
>> page?
>>     
>>> It could cover a bunch of argus tool usage examples. It'd be useful 
>>> for these sorts of queries :)
>>>
>>> Thanks,
>>>
>>> Stew
>>>
#####################################################################
>>> #
>>> ###############
>>> Important: This electronic message and attachments (if any) are 
>>> confidential and may be legally privileged. If you are not the 
>>> intended recipient do not copy, disclose or use the contents in any 
>>> way. Please let us know by return e-mail immediately and then
destroy
>>>       
>> this message.
>>     
>>>
#####################################################################
>>> #
>>> ###############
>>>       
>>
######################################################################
>> ###############
>> Important: This electronic message and attachments (if any) are 
>> confidential and may be legally privileged. If you are not the 
>> intended recipient do not copy, disclose or use the contents in any 
>> way. Please let us know by return e-mail immediately and then destroy

>> this message.
>>
######################################################################
>> ###############
>>
>>     
>
>
########################################################################
> #############
> Important: This electronic message and attachments (if any) are
> confidential
> and may be legally privileged. If you are not the intended recipient
do
> not
> copy, disclose or use the contents in any way. Please let us know by
> return
> e-mail immediately and then destroy this message.
>
########################################################################
> #############
>
>
########################################################################
#############
> Important: This electronic message and attachments (if any) are
confidential
> and may be legally privileged. If you are not the intended recipient
do not
> copy, disclose or use the contents in any way. Please let us know by
return
> e-mail immediately and then destroy this message.
>
########################################################################
#############
>
>   


#####################################################################################
Important: This electronic message and attachments (if any) are confidential
and may be legally privileged. If you are not the intended recipient do not
copy, disclose or use the contents in any way. Please let us know by return
e-mail immediately and then destroy this message.
#####################################################################################



More information about the argus mailing list