graph of bytes against protocols for network loop detection?

Carter Bullard carter at qosient.com
Mon Mar 24 08:57:12 EDT 2008 

Hey Marten,
Sorry for the late reply, didn't see that you had asked a question.

Step 2 is pretty important, depending on the nature of the input data.
If the data is sorted on "stime", you could do the racluster without the
split, but you end up having to do the same steps in the plotting.

You can do the racluster with a "-R ." or "-r *" like command, with
the "-M replace" option, which will make racluster work on each
file independently, and have it replace the original data file with
the clustered output.  This may make your step 3 a lot easier!!!

Does that help?

Carter


On Mar 3, 2008, at 7:52 AM, Marten Bauer wrote:

> Hallo Carter,
>
> thanks for your help and the gnuplot script.
> Last week I tried to code an plot with
> python/matplot and did the following.
>
> 1. Copy argus.logs from Server to my workstation
> 2. Split the logfiles into hourly basis (to isolate the moment when  
> the
> network loop appeares etc.)
>   The result are hundreds of files
> 3. racluster the hundred of files to get a distribution of bytes  
> against
> protocols:
>  "racluster -m proto -r %s -s proto sbytes dbytes spkts dpkts load >
> %s"%(inputfile,outputfile)
> 4. read the files and create a data structure
> 5. Plot this data into various plots
>
> It's working fine with 2d plots and today I will try to make an 3d  
> plot.
>
> Is it possible to do step 2. and 3. in an easier way to get the same  
> result?
>
>
> Thx for helping
>
>
> Carter Bullard schrieb:
>> Hey Marten,
>> Here is a simple gnuplot plot file that will generate a graph
>> of 'Total Bytes By Protocol" using argus data.   This graphs src and
>> dst bytes per protocol separately, if you want just total bytes,
>> then the change is really simple.
>>
>> There are a few things that you will want to modify, like adding
>> a date string to the title, etc, but this should be a good start  
>> for you.
>>
>> So assuming your gnuplot is installed in /opt/local/bin/gnuplot
>> (change the first line if this needs to be changed), put the included
>> script in the file 'barchart.bytesxproto.plt" and then:
>>
>>   % chmod 755 barchart.bytesxproto.plt
>>   % racluster -m proto -r argus.out -s proto spkts dpkts sbytes  
>> dbytes > racluster.dat
>>   % ./barchart.bytesxproto.plt
>>
>> And you'll get a window that pops up with a graph in it.
>>
>> If you want to discuss how to get other graphs out of argus data,
>> just send email to the list and we'll talk about it.
>>
>> Carter
>>
>> ------ begin barchart.bytesxproto.plt ------
>> #!/opt/local/bin/gnuplot -persist
>> #
>> #       G N U P L O T
>> #       Version 4.2 patchlevel 2
>> #       last modified 31 Aug 2007
>> #       System: Darwin 9.2.0
>> #
>> #       Copyright (C) 1986 - 1993, 1998, 2004, 2007
>> #       Thomas Williams, Colin Kelley and many others
>> #
>> #       Type `help` to access the on-line reference manual.
>> #       The gnuplot FAQ is available from http://www.gnuplot.info/ 
>> faq/
>> #
>> #       Send bug reports and suggestions to <http://sourceforge.net/projects/gnuplot 
>> >
>> #
>> #
>> reset
>> #
>> # Create simple barchart of Total Bytes by Protocol
>> # The racluster.dat file was generated using:
>> #
>> #     racluster -m proto -r argus.out -s proto spkts dpkts sbytes  
>> dbytes
>> #
>> # And is of the format:
>> #
>> # Proto  SrcPkts  DstPkts     SrcBytes     DstBytes
>> #   pim    53267    18086     48793554      1085160
>> #  ospf     1764        0       213220            0
>> #  [more]
>> #
>> set termoption font "Verdana, 12"
>> set size square 0.90,0.90
>> set bmargin 4
>> set title "Total Bytes By Protocol" font "Verdana,22"
>> set style data histogram
>> set style histogram cluster gap 1
>> set style fill solid border -1
>> set tics font "Verdana,14"
>> set boxwidth 0.80
>> set grid
>> set ylabel "Log Total Bytes" font "Verdana,18"
>> set logscale y 10
>> set auto y
>> set label 1 "Generated by Argus using Gnuplot"
>> set label 1 at graph 1.02, 0.62 rotate by 90 font "Verdana,9"
>> #
>> set key autotitle columnhead
>> plot 'racluster.dat' using 4:xticlabels(1) ti col, \
>>     ''              using 5 ti col
>> #
>>
>>
>> ------ end barchart.bytesxproto.plt ------
>>
>>
>> On Feb 27, 2008, at 1:52 AM, Marten Bauer wrote:
>>
>>> Hello,
>>>
>>> for detecting network loops I need a graph which
>>> prints the protocol on the x axes and the amount of
>>> bytes on the y axes.
>>>
>>> I tried to archive this with ragraph, but I never got
>>> what I want.
>>>
>>> Is it possible with ragraph or another ra* tool to
>>> generate such plot?
>>>
>>> Thx for helping
>>> Marten
>>>
>>
>
>

More information about the argus mailing list