counting unique connections

Carter Bullard carter at qosient.com
Fri Jan 23 12:42:05 EST 2009


Hey Nick,
Yes need to discard the aggregation data record that the first  
racluster() generates,
as it will have statistics that relate to the number of argus records  
that were
clustered together.  The aggregation data record holds the total  
number of records
aggregated, and the max, min average and std deviation of whatever  
metric you are
interested in (the default is duration).

To discard the "agr" data storage record (dsr),  you can either strip  
the "agr" dsr from
the first racluster()'s output using rastrip(), or you can tell  
racluster to "not report" the
aggregations (-M norep).  The name is really lame, but that is what it  
is right now.

Sorry about that!!!!

Carter

On Jan 23, 2009, at 11:24 AM, Nick Diel wrote:

> Shouldn't an rastrip be used to reset the trans record after the  
> first call to racluster?  That way the trans record only represents  
> the number of unique connections.
>
> Nick
>
> On Fri, Jan 23, 2009 at 9:21 AM, Carter Bullard <carter at qosient.com>  
> wrote:
> Hey Stewart,
> Use racluster() to aggregate argus records into unique connections,  
> and
> then can use many programs to give you totals.  I would use another  
> pass of
> racluster() to give you the totals and other stats.
>
>
> A working command would be:
>    racluster -r argus-file.arg - host x.y.z.w  | wc -l
>
> But this is a bit more interesting:
>    racluster -r argus-file.arg -M norep -w - - host x.y.z.w | \
>    racluster -M rmon -m saddr -w - |  \
>    ra -s stime dur trans avgdur saddr spkts dpkts sbytes dbytes  
> state  - src host x.y.z.w
>
>
> This will aggregate the primitive data into single transaction data  
> on the
> first call to racluster, and then the second call will aggregate the  
> records
> so that the IP address is the unique identifier.  The last call to  
> ra(), selects
> only the record that accounts for x.y.z.w (there will be records for  
> all the IPs
> that x.y.z.w was talking to in this data set as well) and prints  
> fields of
> interest.  I selected "dur trans avgdur" to give the total duration  
> of activity,
> the number of transactions, and the avgdur of all of those  
> transactions.
> You can select services of interest by setting an input filter on  
> the second
> call to racluster().
>
> Hope this is helpful!!!!
>
>
> Carter
>
> On Jan 21, 2009, at 8:05 PM, Stewart Gray wrote:
>
>> Hey guys,
>>
>> Is anyone able to tell me how to count unique connections to a  
>> particular host? I'm not interested in packet counts, or  
>> throughput..just the number of connections that have been made to a  
>> host.
>>
>> I figure this will get the job done, but it doesn't seem very clean:
>>
>> ra -r argus-file.arg – host x.x.x.x -Z both | wc –l
>>
>> Is there a nicer way?
>>
>> Thanks,
>>
>> Stewart
>> #####################################################################################
>> Important: This electronic message and attachments (if any) are  
>> confidential and may be legally privileged. If you are not the  
>> intended recipient do not copy, disclose or use the contents in any  
>> way. Please let us know by return e-mail immediately and then  
>> destroy this message.
>> #####################################################################################
>
> Carter Bullard
> CEO/President
> QoSient, LLC
> 150 E 57th Street Suite 12D
> New York, New York  10022
>
> +1 212 588-9133 Phone
> +1 212 588-9134 Fax
>
>
>
>

Carter Bullard
CEO/President
QoSient, LLC
150 E 57th Street Suite 12D
New York, New York  10022

+1 212 588-9133 Phone
+1 212 588-9134 Fax



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090123/9b0608d3/attachment.html>


More information about the argus mailing list