Cheat sheet premiere
Carter Bullard
carter at qosient.com
Fri Mar 7 15:27:41 EST 2008
Hey Stephane,
This is great!!!! I'll put this in the distribution, if you don't
mind!!!!
And I'll also go through it to make sure that any changes in the
code actually don't break this, and I can add some of the ones
that I do.
So Russell is asking for a wiki, and we already have one at:
http://www.vorant.com/nsmwiki/index.php?title=Argus
Carter
On Mar 7, 2008, at 2:24 PM, Stéphane Peters wrote:
> Hi Stewart,
>
> I also think that a cheat sheet would be nice !
> Here is a good occasion to show mine...
>
> Please note, most of the stuff has been collected right from this
> argus list,
> so hopefully, you shouldn't browse all the (numerous) past messages.
>
> Any suggestions ?
>
> flow filtering on certain port range:
> ra -r file - dst port \( gt 1024 and lt 2048 \)
>
> use racluster() to generate the counts you are looking for:
> racluster -m proto -r file -s proto spkts dpkts sbytes dbytes
>
> % racluster -m proto -r $file -s proto spkts dpkts sbytes dbytes
> udp 15567 12390 2912004 3240927
> tcp 900187 866302 410506598 722771403
> icmp 645 522 123240 61250
>
> Packet Loss (with IP address):
> ragraph loss saddr daddr -M 10s -r argus.out - -title 'Packet
> Loss / IPs' -w ploss.png
>
> Packet Loss (number of packets)
> ragraph loss spkts dpkts -M 10s -r argus.out - -title
> 'Packet Loss / Packets' -w ploss2.png
>
> Jitter (number of packets)
> ragraph jitter saddr daddr -M 10s -r argus.out - -title
> 'Jitter' -w jitter.png
>
> Concurrent transactions:
> ragraph trans -M 10s -r argus.out - -title 'Concurrent
> Transactions' -w transac.png2
>
> Top talkers & Listeners
> racluster -m matrix -r argus.out -w - | rasort -m bytes -w -
> | ra -nu
>
> Rastrip always removes argus management transactions, thus having
> the same effect
> as a ’not man’ filter expression.
>
> to remove the tcp network DSR:
> rastrip -m -net" (or something like it)
>
> to see if you get something useful:
> rastrip -m time flow metric"
> Yes, you can pipe rastrip(). Try something like this:
> rastrip -S server -w - | rasplit [options] -r -
>
>
> racluster -r input -M net 192.168.0.0/16 -m daddr/16 - "host
> 192.168.0.10 or host 192.168.0.11"
>
>
> ra -r $file - -s saddr sport daddr dport
> > SrcAddr Sport DstAddr Dport
> > 1.2.3.58.1140 1.2.4.5.41460
> > 1.2.3.55.4100 1.2.4.5.41460
> > 1.2.3.3.3336 1.2.5.6.135
>
>
> Split records into 5 minute files
> rasplit -M time 5m -S argus-north... -w /var/log/argus/\$srcid/
> %Y/%m/%d/file.%Y.%m%d.%H.%M.%S
> one for every day
> rasplit -S radium -M 1d -w /path/argus-\$srcid.%Y.%m.%d.log
>
>
> rastream -S argus -B 15s -w /archive/\$srcid//%Y/%m/%d/ntam.%Y.
> %m.%d.%H.%M.%S -f /usr/local/bin/rastreamshell
>
> comma separated value
> %cat ra3.conf.t
> RA_PRINT_LABELS=0
> RA_FIELD_DELIMITER=','
> RA_PRINT_NAMES=proto
> RA_TIME_FORMAT="%y-%m-%d %T"
> RA_PRINT_DURATION=no
> RA_PRINT_LASTIME=yes
>
> %ra3 -F ra3.conf.t -r icmp3.argus | more
>
> StartTime
> ,Flgs
> ,Proto
> ,SrcAddr
> ,Sport,Dir,DstAddr,Dport,SrcPkts,DstPkts,SrcBytes,DstBytes,State
> 06-06-27 11:20:28.911941, v ,icmp,142.58.201.99,,->,
> 142.58.201.254,,1,0,102,0,ECO
> 06-06-27 11:20:28.911946, v ,icmp,142.58.201.99,,->,
> 142.58.201.254,,1,0,102,0,ECO
> 06-06-27 11:20:28.911951, v ,icmp,142.58.201.99,,->,
> 142.58.201.254,,1,0,102,0,ECO
>
>
>
> racluster -m saddr/23 daddr proto dport -w - -r file - dst net
> 10.1.2.0/23 \
> | rasort -m proto daddr dport dbytes - \
> -s ltime saddr sport daddr dport spkts dpkts sbytes dbytes \
> |less
>
>
> To do a top talkers for say IP addresses
> (racluster can do it for any object in the record, top mac addrs, top
> tos bytes, top mpls label, top vlan, top port, top ttl, etc....):
> racluster -M rmon -m saddr -r input.file - ip
>
>
>
> a list with 2 columns, IP-address and bytes used:
> racluster -M rmon -m saddr -r /var/log/argus/bridge0/argus.out -
> w - - ip \
> | rasort -m bytes -s saddr bytes |head -20
>
> a list with 2 columns, IP-address and bytes used (carter version)r:
> racluster -M rmon -m proto sport -r input.file -w - - ip | \
> rasort -m bytes proto sport -s stime dur proto sport spkts dpkts
> sbytes dbytes
>
>
> Already there. If you have vlan input traffic adding
> -s +svlan +dvlan
> to your ra command will display the VLAN tag values and you can
> filter ra (or other clients) traffic on vlan tags.
>
>
> top src address based on src bytes in a collection of records
> racluster -m saddr -w - -R 2006/09/28 - ip | rasort -m sbytes
>
> top address, regardless of direction
> (The "-M rmon" folds the src and dst addresses together,
> putting the values into the saddr field.):
> racluster -M rmon -m saddr -w - -R 2006/09/28 - ip | rasort -m
> sbytes
>
> 2007-0305
> What is the current best way to get a report like:
> ramon -nn -L0 -M svc -r filename - | head -25
> racluster -M rmon -m proto sport -r file -w - - tcp or udp | \
> ra -N 25 -s proto sport spkts dpkts sbytes dbytes
>
> 2007-0321
> Looking for functionality like: ramon -M TopN or -M Matrix
> try this:
> racluster -r file -M rmon -m saddr - ip ( this generates
> stats based on IP address)
> racluster -r file -m matrix - ip (based on IP matrix)
>
> to do whatever TopN you want, pipe the output to rasort().
> So to get the Top10 in packets received and transmitted:
> racluster -r file -M rmon -m saddr -w - | rasort -m pkts -w -
> | ra -N 10
>
> To get the Top5 in bytes per second transmitted:
> racluster -r file -M rmon -m saddr -w - | rasort -m srate -w
> - | ra -N 5 -s +srate
>
> 2007-1102
> I run the following collectors:
>
> /opt/argus/sbin/argus -X -d -A -i eth2 -P 561
> /opt/argus/sbin/radium -X -d -C -S 1006 -P 564
> /opt/argus/sbin/radium -X -d -C -S 1007 -P 565
>
> I have another process that aggregates these:
>
> /opt/argus/sbin/radium -X -d -S localhost:561 -S localhost:564 -
> S \
> localhost:565 -P 569
>
> 2008-0215
> Quelques exemples de ragraph: ( http://search.gmane.org/?query=ragraph&group=gmane.network.argus
> )
> ragraph bytes proto -M 60s -r strange-broadcast-10000.argus -
> fill -stack \
> -w ./strange-broadcast-10000.png
> ragraph -r inputfiles* -t 12-13
> ragraph spkts dport -M 1h -n -n -r argus.dat.04 - src net X/20
> ragraph pkts dport -M 10s -T 60 -S 192.168.1.101 -p0
> ragraph bytes saddr -M 1m -m saddr/24
> rabins -M soft zero -p6 -GL0 -s ltime bytes -nn -M 1m \
> -r files - srcid eligate1 and icmp | head
> ragraph sbytes dbytes -M rmon time 1m -m smac -t 2007/10/04 \
> -r file -w ragraph.png -- ether host 00:15:F2:64:92:13
>
> ragraph pkts proto -M 1m -title 'eligate2: protocol
> distribution' \
> -height 200 -t 2007/10/04 -r /var/log/argus/argus.log \
> -w /var/www/argus/eligate2/proto/current.png - srcid
> eligate2 (???)
> rahisto -r datafile -H drate 140:100-170K
>
> bash> for i in 1s 2s 5s 10s 15s 20s 30s 45s 1m 2m 5m 10m 15m
> 20m 30m 1h 2h; do echo $i ;\
> ragraph rate dport -M $i -r output.file -t 18-20 -m proto
> dport -upper 5000 -lower 7000 \
> -title "Aggregation Metric Distribution Analysis -
> Resolution $i" ;\
> mv ragraph.png aggregation.$i.png; done
>
> rasort -R ${stats_dir}/.../day -m bytes smac saddr -w - \
> | ra -N 20 -w top20.talkers.list
> ; ra -s addr -r top20.talkers.list > addrs.list
> ; rafilteraddr -f addrs.list -R ${stats_dir}/..../daily > /tmp/
> data
> ; ragraph spkts dpkts saddr -M 1m -w /tmp/ragraph.png
>
>
>
> ====> to insert data every 5 minutes, it can be as easy as:
> rastream -S live.argus.stream -f yourMysqlImport.sh -M time 5m -B
> 15s \
> -w /opt/ARGUS/OUTBOUND/%Y/%m/%d/argus.%Y.%m.%d.%H.%M.%S
>
> This would generate an argus archive broken out by year/month/day
> containing
> files every 5 minutes, and 15 seconds after then end of each 5
> minute clock
> boundary, your script would be run against the file, indexing the
> data and then
> compressing the file. It could remove the file if you're not
> interested in keeping
> the archive etc......
>
>
> 2008-0305
> When the records are not well formed, you need the "-M rmon" option
> to make the records direction-less. Because of the direction-less
> nature
> you can use "dport" or "sport" as the merge key, but you have to be
> consistent,
> as you will need to pipe the output to ra() to select the ports
> you're interested in:
>
> racluster -M rmon -r argus.file -m proto dport -w - | \
> ra -L 0 -s stime dur proto dport spkts dpkts sbytes dbytes - dst
> port 80 or 443
>
> This is what ramon() was doing, and I can recreate the program a
> shell script if
> it makes is easier.
>
>
> bandwidth usage flow by flow on 26th Feb from 19h to 20h,
> unnecessary columns have been cut to keep every record on a single
> line
> (still working on it)
> cd /archive/2008/02/26
> racluster -w - -M rmon -m saddr daddr -r argus.19.00.00.gz -w -
> - ip and dur gt 1 \
> | rasort -m sload -w - \
> | ra -N 15 -p 0 -s "-flgs -proto -dir -state +avgdur +sload
> +dload +trans"
>
>
>
>
> Stewart Gray a écrit :
>>
>> awesome, that's more like what I was after :) Thanks for your help
>> again.
>>
>> As I mentioned earlier, I reckon it'd be neat to have some sort of
>> cheat
>> sheet for doing common tasks. I bet there's lot's of stuff you know
>> that
>> others don't, having written the application yourself. I don't know
>> what
>> I don't know!
>>
>
> Regards,
> --
> Stephane.Peters at forem.be, Postmaster at forem.be
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20080307/908ad81f/attachment.html>
More information about the argus
mailing list