counting unique connections

Nick Diel nick at engineerity.com
Fri Jan 23 11:24:53 EST 2009 

Shouldn't an rastrip be used to reset the trans record after the first call
to racluster?  That way the trans record only represents the number of
unique connections.

Nick

On Fri, Jan 23, 2009 at 9:21 AM, Carter Bullard <carter at qosient.com> wrote:

> Hey Stewart,Use racluster() to aggregate argus records into unique
> connections, and
> then can use many programs to give you totals.  I would use another pass of
> racluster() to give you the totals and other stats.
>
>
> A working command would be:
>    racluster -r argus-file.arg - host x.y.z.w  | wc -l
>
> But this is a bit more interesting:
>    racluster -r argus-file.arg -M norep -w - - host x.y.z.w | \
>    racluster -M rmon -m saddr -w - |  \
>    ra -s stime dur trans avgdur saddr spkts dpkts sbytes dbytes state  -
> src host x.y.z.w
>
>
> This will aggregate the primitive data into single transaction data on the
> first call to racluster, and then the second call will aggregate the
> records
> so that the IP address is the unique identifier.  The last call to ra(),
> selects
> only the record that accounts for x.y.z.w (there will be records for all
> the IPs
> that x.y.z.w was talking to in this data set as well) and prints fields of
> interest.  I selected "dur trans avgdur" to give the total duration of
> activity,
> the number of transactions, and the avgdur of all of those transactions.
> You can select services of interest by setting an input filter on the
> second
> call to racluster().
>
> Hope this is helpful!!!!
>
>
> Carter
>
> On Jan 21, 2009, at 8:05 PM, Stewart Gray wrote:
>
> Hey guys,
>
> Is anyone able to tell me how to count unique connections to a particular
> host? I'm not interested in packet counts, or throughput..just the number of
> connections that have been made to a host.
>
> I figure this will get the job done, but it doesn't seem very clean:
>
> ra -r argus-file.arg – host x.x.x.x -Z both | wc –l
>
> Is there a nicer way?
>
> Thanks,
>
> Stewart
>
> #####################################################################################
> Important: This electronic message and attachments (if any) are
> confidential and may be legally privileged. If you are not the intended
> recipient do not copy, disclose or use the contents in any way. Please let
> us know by return e-mail immediately and then destroy this message.
>
> #####################################################################################
>
>
> Carter Bullard
> CEO/President
> QoSient, LLC
> 150 E 57th Street Suite 12D
> New York, New York  10022
>
> +1 212 588-9133 Phone
> +1 212 588-9134 Fax
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090123/654d3716/attachment.html>

More information about the argus mailing list