Getting the data I want

Wed Aug 18 21:14:31 EDT 2010

Hey Paul,
In order to get totals per host for the entire day, you will need to aggregate the data using the tool racluster().

There are two ways to do host totals, one preserves the notion of source and destination, the other does not.

To keep the notion of direction:

   racluster -R dir -m saddr daddr -w - - net and net | rasort -m bytes saddr daddr -s stime bytes saddr daddr 

To ignore direction, you use the matrix option to racluster():

   racluster -R dir -m matrix -w - - net and net | rasort -m bytes saddr daddr -s stime bytes saddr daddr 

Give both a try and if you have problems, send email.

I want to get the following from a day's worth of argus data.  We store "raw" 
argus files in 4 hour increments, gzipped, which is around 10GB per day right 
now.  I want to get the following data from these files:

search the entire day for anything related to connections two specific networks 
and sort it by total bytes, then saddr, then daddr.

Is this possible?

Right now I'm trying this (obfuscated for privacy):

ra -s stime -s bytes -s saddr -s daddr -R /var/data/nsm/argus/2010-08-16/ - net or net | rasort -m bytes saddr daddr > 

Is this going to get me what I want?  I don't want packet data, just header 
information that shows me total bytes per host connecting to any one of a 
number of hosts on two different foreign networks.  (Foreign == not ours.)

I'd like to see the following:

Start time | Total bytes (highest to lowest) | Saddr | Daddr

I'm still trying to get a clue about argus, as you can see.

