Cheat sheet premiere
Stéphane Peters
stephane.peters at forem.be
Fri Mar 7 14:24:13 EST 2008
Hi Stewart,
I also think that a cheat sheet would be nice !
Here is a good occasion to show mine...
Please note, most of the stuff has been collected right from this argus
list,
so hopefully, you shouldn't browse all the (numerous) past messages.
Any suggestions ?
------------------------------------------------------------------------
flow filtering on certain port range:
ra -r file - dst port \( gt 1024 and lt 2048 \)
use racluster() to generate the counts you are looking for:
racluster -m proto -r file -s proto spkts dpkts sbytes dbytes
% racluster -m proto -r $file -s proto spkts dpkts sbytes dbytes
udp 15567 12390 2912004 3240927
tcp 900187 866302 410506598 722771403
icmp 645 522 123240 61250
Packet Loss (with IP address):
ragraph loss saddr daddr -M 10s -r argus.out - -title 'Packet Loss /
IPs' -w ploss.png
Packet Loss (number of packets)
ragraph loss spkts dpkts -M 10s -r argus.out - -title 'Packet
Loss / Packets' -w ploss2.png
Jitter (number of packets)
ragraph jitter saddr daddr -M 10s -r argus.out - -title 'Jitter'
-w jitter.png
Concurrent transactions:
ragraph trans -M 10s -r argus.out - -title 'Concurrent
Transactions' -w transac.png2
Top talkers & Listeners
racluster -m matrix -r argus.out -w - | rasort -m bytes -w - |
ra -nu
Rastrip always removes argus management transactions, thus having the
same effect
as a 'not man' filter expression.
to remove the tcp network DSR:
rastrip -m -net" (or something like it)
to see if you get something useful:
rastrip -m time flow metric"
Yes, you can pipe rastrip(). Try something like this:
rastrip -S server -w - | rasplit [options] -r -
racluster -r input -M net 192.168.0.0/16 -m daddr/16 - "host
192.168.0.10 or host 192.168.0.11"
ra -r $file - -s saddr sport daddr dport
> SrcAddr Sport DstAddr Dport
> 1.2.3.58.1140 1.2.4.5.41460
> 1.2.3.55.4100 1.2.4.5.41460
> 1.2.3.3.3336 1.2.5.6.135
Split records into 5 minute files
rasplit -M time 5m -S argus-north... -w
/var/log/argus/\$srcid/%Y/%m/%d/file.%Y.%m%d.%H.%M.%S
one for every day
rasplit -S radium -M 1d -w /path/argus-\$srcid.%Y.%m.%d.log
rastream -S argus -B 15s -w
/archive/\$srcid//%Y/%m/%d/ntam.%Y.%m.%d.%H.%M.%S -f
/usr/local/bin/rastreamshell
comma separated value
%cat ra3.conf.t
RA_PRINT_LABELS=0
RA_FIELD_DELIMITER=','
RA_PRINT_NAMES=proto
RA_TIME_FORMAT="%y-%m-%d %T"
RA_PRINT_DURATION=no
RA_PRINT_LASTIME=yes
%ra3 -F ra3.conf.t -r icmp3.argus | more
StartTime,Flgs,Proto,SrcAddr,Sport,Dir,DstAddr,Dport,SrcPkts,DstPkts,SrcBytes,DstBytes,State
06-06-27 11:20:28.911941, v
,icmp,142.58.201.99,,->,142.58.201.254,,1,0,102,0,ECO
06-06-27 11:20:28.911946, v
,icmp,142.58.201.99,,->,142.58.201.254,,1,0,102,0,ECO
06-06-27 11:20:28.911951, v
,icmp,142.58.201.99,,->,142.58.201.254,,1,0,102,0,ECO
racluster -m saddr/23 daddr proto dport -w - -r file - dst net
10.1.2.0/23 \
| rasort -m proto daddr dport dbytes - \
-s ltime saddr sport daddr dport spkts dpkts sbytes dbytes \
|less
To do a top talkers for say IP addresses
(racluster can do it for any object in the record, top mac addrs, top
tos bytes, top mpls label, top vlan, top port, top ttl, etc....):
racluster -M rmon -m saddr -r input.file - ip
a list with 2 columns, IP-address and bytes used:
racluster -M rmon -m saddr -r /var/log/argus/bridge0/argus.out -w -
- ip \
| rasort -m bytes -s saddr bytes |head -20
a list with 2 columns, IP-address and bytes used (carter version)r:
racluster -M rmon -m proto sport -r input.file -w - - ip | \
rasort -m bytes proto sport -s stime dur proto sport spkts dpkts
sbytes dbytes
Already there. If you have vlan input traffic adding
-s +svlan +dvlan
to your ra command will display the VLAN tag values and you can filter
ra (or other clients) traffic on vlan tags.
top src address based on src bytes in a collection of records
racluster -m saddr -w - -R 2006/09/28 - ip | rasort -m sbytes
top address, regardless of direction
(The "-M rmon" folds the src and dst addresses together,
putting the values into the saddr field.):
racluster -M rmon -m saddr -w - -R 2006/09/28 - ip | rasort -m sbytes
2007-0305
What is the current best way to get a report like:
ramon -nn -L0 -M svc -r filename - | head -25
racluster -M rmon -m proto sport -r file -w - - tcp or udp | \
ra -N 25 -s proto sport spkts dpkts sbytes dbytes
2007-0321
Looking for functionality like: ramon -M TopN or -M Matrix
try this:
racluster -r file -M rmon -m saddr - ip ( this generates stats
based on IP address)
racluster -r file -m matrix - ip (based on IP matrix)
to do whatever TopN you want, pipe the output to rasort().
So to get the Top10 in packets received and transmitted:
racluster -r file -M rmon -m saddr -w - | rasort -m pkts -w - |
ra -N 10
To get the Top5 in bytes per second transmitted:
racluster -r file -M rmon -m saddr -w - | rasort -m srate -w - |
ra -N 5 -s +srate
2007-1102
I run the following collectors:
/opt/argus/sbin/argus -X -d -A -i eth2 -P 561
/opt/argus/sbin/radium -X -d -C -S 1006 -P 564
/opt/argus/sbin/radium -X -d -C -S 1007 -P 565
I have another process that aggregates these:
/opt/argus/sbin/radium -X -d -S localhost:561 -S localhost:564 -S \
localhost:565 -P 569
2008-0215
Quelques exemples de ragraph: (
http://search.gmane.org/?query=ragraph&group=gmane.network.argus )
ragraph bytes proto -M 60s -r strange-broadcast-10000.argus -fill
-stack \
-w ./strange-broadcast-10000.png
ragraph -r inputfiles* -t 12-13
ragraph spkts dport -M 1h -n -n -r argus.dat.04 - src net X/20
ragraph pkts dport -M 10s -T 60 -S 192.168.1.101 -p0
ragraph bytes saddr -M 1m -m saddr/24
rabins -M soft zero -p6 -GL0 -s ltime bytes -nn -M 1m \
-r files - srcid eligate1 and icmp | head
ragraph sbytes dbytes -M rmon time 1m -m smac -t 2007/10/04 \
-r file -w ragraph.png -- ether host 00:15:F2:64:92:13
ragraph pkts proto -M 1m -title 'eligate2: protocol distribution' \
-height 200 -t 2007/10/04 -r /var/log/argus/argus.log \
-w /var/www/argus/eligate2/proto/current.png - srcid eligate2 (???)
rahisto -r datafile -H drate 140:100-170K
bash> for i in 1s 2s 5s 10s 15s 20s 30s 45s 1m 2m 5m 10m 15m 20m
30m 1h 2h; do echo $i ;\
ragraph rate dport -M $i -r output.file -t 18-20 -m proto
dport -upper 5000 -lower 7000 \
-title "Aggregation Metric Distribution Analysis - Resolution
$i" ;\
mv ragraph.png aggregation.$i.png; done
rasort -R ${stats_dir}/.../day -m bytes smac saddr -w - \
| ra -N 20 -w top20.talkers.list
; ra -s addr -r top20.talkers.list > addrs.list
; rafilteraddr -f addrs.list -R ${stats_dir}/..../daily > /tmp/data
; ragraph spkts dpkts saddr -M 1m -w /tmp/ragraph.png
====> to insert data every 5 minutes, it can be as easy as:
rastream -S live.argus.stream -f yourMysqlImport.sh -M time 5m -B 15s \
-w /opt/ARGUS/OUTBOUND/%Y/%m/%d/argus.%Y.%m.%d.%H.%M.%S
This would generate an argus archive broken out by year/month/day containing
files every 5 minutes, and 15 seconds after then end of each 5 minute clock
boundary, your script would be run against the file, indexing the data
and then
compressing the file. It could remove the file if you're not interested
in keeping
the archive etc......
2008-0305
When the records are not well formed, you need the "-M rmon" option
to make the records direction-less. Because of the direction-less nature
you can use "dport" or "sport" as the merge key, but you have to be
consistent,
as you will need to pipe the output to ra() to select the ports you're
interested in:
racluster -M rmon -r argus.file -m proto dport -w - | \
ra -L 0 -s stime dur proto dport spkts dpkts sbytes dbytes - dst port
80 or 443
This is what ramon() was doing, and I can recreate the program a shell
script if
it makes is easier.
bandwidth usage flow by flow on 26th Feb from 19h to 20h,
unnecessary columns have been cut to keep every record on a single line
(still working on it)
cd /archive/2008/02/26
racluster -w - -M rmon -m saddr daddr -r argus.19.00.00.gz -w - - ip
and dur gt 1 \
| rasort -m sload -w - \
| ra -N 15 -p 0 -s "-flgs -proto -dir -state +avgdur +sload +dload
+trans"
------------------------------------------------------------------------
Stewart Gray a écrit :
> awesome, that's more like what I was after :) Thanks for your help
> again.
>
> As I mentioned earlier, I reckon it'd be neat to have some sort of cheat
> sheet for doing common tasks. I bet there's lot's of stuff you know that
> others don't, having written the application yourself. I don't know what
> I don't know!
>
Regards,
--
Stephane.Peters at forem.be, Postmaster at forem.be
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20080307/f7b66920/attachment.html>
More information about the argus
mailing list