Byte count over time period

Carter Bullard carter at qosient.com
Tue Mar 31 10:44:13 EDT 2009 

Hey David,
Total byte count for every 5 m period?  Very easy and the tool of  
choice is rabins().
Lets assume that you have a single probe, and all the data is in a file:

    rabins -M hard time 5m -m srcid -r file -s stime srcid bytes

So, the options:
    '-M hard'        force the start and end times to be time aligned.
    '-M time 5m'     use 5 minute bins
    '-m srcid'       aggregate data based on the probe id
    '-r file'        read from file
    '-s stime bytes' print out these fields

This will print out 5 minute time periods where there was activity.   
This will go pretty
fast, as rabins() will only track one flow per time period, because  
you're aggregating
on the single 'srcid' object ( -m srcid ).

Of course you don't have to print the 'srcid' field.  I did that just  
as an example.

And, the format of the time field is specified in your .rarc file, so  
get one if don't have
one from ~/support/Config/rarc.

If you wanted 1 day time periods:

      rabins -M hard time 1d -m srcid -r file -s stime bytes


If you want zero's when there is no activity, add the "-M zero" option.

     rabins -M zero hard time 5m -m srcid -r file -s stime bytes


Need comma separated?  add the "-c ," option

     rabins -M zero hard time 5m -m srcid -r file -s stime trans pkts  
bytes -c ,

Now, if you want something other than total bytes, or total packets,  
or total
number of flows, or .....   Say you wanted the incoming bytes and  
outgoing
bytes, you will need to add the "-M rmon" option.

    rabins -M zero rmon hard time 1d -m smac -r file -s stime smac  
sbytes dbytes -c ,

The big difference here is the "-m smac" option.  When you use the  
'rmon'
option you need to aggregate on a directional object, so that you can  
"fix"
or assign the direction to the data.  When you are looking for

If you have more data than can be consumed in a single run?  If the  
data is
somewhat sorted (data straight from argus probes is mostly sorted)
use the "-B seconds" so that rabins() will hold a fixed set of bins.  As
the data comes in that exceeds the bins, rabins() will start writing  
data
out.  At least that is the design, and it works very well for me.





Carter

On Mar 31, 2009, at 9:40 AM, David wrote:

> Firstly thanks for the excellent features in the newer builds of  
> argus, I've just compiled them and things like the regex matching  
> look to be really useful.
>
> I have a large amount of argus data and I'm trying to accomplish a  
> relatively simple task.  I'd like to get a byte count split across a  
> time boundary (e.g. 5 minutes/1 day/whatever).  Some form of output  
> like:
>
> 20090301 1024    (1kb on this day)
> 20090302 32768   (32kb on this day)
> 20090303 ..
>
> Or:
>
> 20090301 00:00:00 1024 (1kb in these 5 minutes)
> 20090301 00:05:00 10240 (10kb for this 5 minute period)
>
> Basically I'll be feeding it to some sort of graph, so any CSV like  
> format would be great.  No idea yet whether it will be Excel or  
> something slightly more scripted, but I'd like the data rather than  
> relying on ragraph.
>
> Thanks,
>
> David
>





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090331/0e19ff9e/attachment.html>

More information about the argus mailing list