Getting total traffic counts for a specific host

Carter Bullard carter at qosient.com
Tue Sep 2 09:49:23 EDT 2008 

Hey David,
Sorry for the delayed response, just got back from vacation.

I would use rabins() to generate 6 hour bins of the data for your  
specific
machine.  Because you want metrics that apply to a single object, you'll
need to use the "rmon" option, to convert bi-directional flow data  
(which
involves two objects; the source and the destination) into RMON style
data, that involves only one object.  And you will only want to process
just the data that matches your hosts IP address or ethernet address,
depending on what you want to count.

This should do it for IP traffic:

    1.  rabins -M rmon -m saddr -M time 6h -R /path/to/data/2008/month \
               -w /tmp/argus.host.out - ip and host x.y.z.w


       A little explanation.  rabins(), with these options, will  
process all the
       data in a given month that involved ip host x.y.z.w.  The "-M  
rmon" option
       will condition the flow records so that aggregating the data  
based on just
       one of the IP addresses ("-m saddr") in the flow record,  
generates useful
       data.  And the scope of the aggregation will be 6 hour bins ( "- 
M time 6h").

       We write the output of rabins() into a temporary file "-w /tmp/ 
argus.host.out",
       and we filter the input so that we only process data for the IP  
address of
       interest "- ip and host x.y.z.w".

    2.  ra -r /tmp/argus.host.out - host x.y.z.w

       Now, rabins() will provide you with the data you want, not only  
for the IP
       address x.y.z.w, but also every IP addresses that x.y.z.w  
talked to.

       To pick just your host's stats, for each 6 hour bin, you will  
need to use
       ra()j to filter for the data that applies just to your machine.


Using this technique, you will get stats reported on 6 hour intervals,  
when
your host was active.  If there is no activity, rabins() will not  
generate data.

Now there are other ways of doing this, that would be a bit more  
generic,
but try this, and if it works for you great!!!  Keep sending email if  
you want
to do something a bit more complicated.

Carter


On Aug 28, 2008, at 7:23 AM, David wrote:

> Firstly thanks for all the previous help.  I have now imported all  
> my data again and split it up by day, which is much more manageable.
>
> I am trying to solve the following problem but can't think where to  
> begin.  I want to pick out one host from my argus files and work out  
> the total traffic to/from it over a few months.  Calculating this in  
> 6 hour blocks would be a good starting point.
>
> If I can get an approximation as if I had sampled the interface  
> statistics every 6 hours over a few months (for src pkts, src bytes,  
> dst pkts & dst btyes), that would be excellent.
>
> I'm not sure how to aggregate over a 6 hour period (though I think  
> rabins should help) nor how to ensure that src and dst always refer  
> to the same 'direction' to or from the machine.
>
> Does this make sense?
>
> Regards,
>
> David
>
>

More information about the argus mailing list