counting unique connections

Carter Bullard carter at qosient.com
Fri Jan 23 11:21:02 EST 2009 

Hey Stewart,
Use racluster() to aggregate argus records into unique connections, and
then can use many programs to give you totals.  I would use another  
pass of
racluster() to give you the totals and other stats.


A working command would be:
    racluster -r argus-file.arg - host x.y.z.w  | wc -l

But this is a bit more interesting:
    racluster -r argus-file.arg -M norep -w - - host x.y.z.w | \
    racluster -M rmon -m saddr -w - |  \
    ra -s stime dur trans avgdur saddr spkts dpkts sbytes dbytes  
state  - src host x.y.z.w


This will aggregate the primitive data into single transaction data on  
the
first call to racluster, and then the second call will aggregate the  
records
so that the IP address is the unique identifier.  The last call to  
ra(), selects
only the record that accounts for x.y.z.w (there will be records for  
all the IPs
that x.y.z.w was talking to in this data set as well) and prints  
fields of
interest.  I selected "dur trans avgdur" to give the total duration of  
activity,
the number of transactions, and the avgdur of all of those transactions.
You can select services of interest by setting an input filter on the  
second
call to racluster().

Hope this is helpful!!!!


Carter

On Jan 21, 2009, at 8:05 PM, Stewart Gray wrote:

> Hey guys,
>
> Is anyone able to tell me how to count unique connections to a  
> particular host? I’m not interested in packet counts, or  
> throughput..just the number of connections that have been made to a  
> host.
>
> I figure this will get the job done, but it doesn’t seem very clean:
>
> ra -r argus-file.arg – host x.x.x.x -Z both | wc –l
>
> Is there a nicer way?
>
> Thanks,
>
> Stewart
> #####################################################################################
> Important: This electronic message and attachments (if any) are  
> confidential and may be legally privileged. If you are not the  
> intended recipient do not copy, disclose or use the contents in any  
> way. Please let us know by return e-mail immediately and then  
> destroy this message.
> #####################################################################################

Carter Bullard
CEO/President
QoSient, LLC
150 E 57th Street Suite 12D
New York, New York  10022

+1 212 588-9133 Phone
+1 212 588-9134 Fax



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090123/84cea785/attachment.html>

More information about the argus mailing list