simple question
Alexander Bochmann
ab at lists.gxis.de
Tue May 5 11:00:42 EDT 2009
Hi,
...on Thu, Apr 30, 2009 at 11:25:47PM -0400, Carter Bullard wrote:
> I would suggest that you do this instead:
> rabins -M rmon -r 27.gz -M hard time 1h -m srcid smac -w - | \
> ra -s stime srcid smac sbytes:20 dbytes:20 bytes:20 sload:20
> dload:20 load:20 - ether src host 00:15:60:0C:B5:6A
> The main difference, is that we have added "smac" to the aggregation.
> We need the second ra(), so we can select the record where the mac
> address is the source, which is the single record where the metrics
> represent the input and output values for the interface.
I've been asking myself a similar question recently, coming
to the conclusion that I don't really understand how to make
argus work for me ;) ... CS Lee has been trying to help me
on the IRC channel a couple of days ago, but I'm still quite
lost...
I, too, want to generate a simple graph representing "input"
and "output" traffic on an interface. My probe is on a mirror
port that monitors the inside interface of the gateway router.
So I want to see packets / bytes "leaving" my local network
in one direction on the y axis of my graph and those "coming
in" on the other side.
I'm rather certain the ragraph call I've been using is wrong
with that goal in mind because it's just:
ragraph sbytes dbytes -m smac proto dport -M 1m -w if.png -r argus/2009/04/25/*
With just that, ra cannot know what is "local" to my
network, so sbytes and dbytes is most probably not the same
as "in" and "out".
I assume that I should be doing something with racluster,
but my brain is broken and/or I just can't get some of the
basic concepts.
Alex.
More information about the argus
mailing list