Getting lots of stats from ra clients
Nick Diel
nick at engineerity.com
Wed Apr 22 11:05:00 EDT 2009
I was able to produce what I wanted using tee and bash process
substitution. Here is a snippet of what I used:
........
ra -r $1 -w - - $2 | tee \
>(racount -r - > all) \
>(racount -r - - $est > est) \
>(ra -r - -w - - $rst | tee \
>(racount -r - > rst) \
>(ra -r - -w - - $est | tee \
>(racount -r - - $est > estrst) \
>(racount -r - - $srcrst > estrsrcrst) \
>(racount -r - - $dstdrst > estdstrst) \
......
Some of my filters where subset of other filters, so I nestled them under
other instances of tee to improve efficiency. I had about ~20 instances of
racount running on 4 cores and worked quite well.
Nick
On Tue, Apr 21, 2009 at 10:09 AM, Nick Diel <nick at engineerity.com> wrote:
> In a research project I am working on, I will be collecting a number of
> stats from 70gb+ of argus files. My traditional method would be to run
> racount a number of different times with different filters. With this data
> set it becomes quite tedious to run through the same set of flows each time
> to get different stats.
>
> I am interested in something similar to the bins a number of the ra tools
> use. The stats I am collecting currently do not fall under the predefined
> bins. For example some of the stats I will be collecting are as followed:
> "number of flows with a reset on port 80", "number of flows with a reset
> sent by the source on port 80". In addition to not falling under the
> current predefined bins, they are not exclusive stats either (some flows may
> fall under multiple categories/bins).
>
> So based on what I outline, does anyone know if I can leverage any of the
> existing ra tools to help me speed up the process of collecting the stats I
> am after?
>
> Thanks,
> Nick
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090422/ecb6c282/attachment.html>
More information about the argus
mailing list