filtering by total bytes

Rodney McKee rmckee at aconex.com
Thu Mar 11 19:28:51 EST 2010


Hello, 

Just trying to filter out some of the larger flows with "bytes gt 1000000", and it reduced the number of flows as expected. Then tried to reduce it further with "bytes gt 1500000" expecting it would return at least some of the entries below. 

Am I missing something here? 

$ racluster -nr fw?.03* -s +load +sload +dload +bytes - port 12020 and host yyy.yyy.yyy.yyy and bytes gt 1000000 
... 
2009-12-03 17:56:04.789897 e tcp xxx.xxx.xxx.xxx.49816 -> yyy.yyy.yyy.yyy.12020 11580 11736264 CON 2096867. 47820.24 18352352 11736264 
2009-12-03 18:00:13.138702 e tcp xxx.xxx.xxx.xxx.56439 -> yyy.yyy.yyy.yyy.12020 1409 1415178 CON 2382021. 54764.62 2326324. 1415178 
2009-12-03 18:00:13.379679 e tcp xxx.xxx.xxx.xxx.56438 -> yyy.yyy.yyy.yyy.12020 4238 4246460 CON 2301080. 53225.92 7028546. 4246460 
2009-12-03 18:00:26.504711 e tcp xxx.xxx.xxx.xxx.56433 -> yyy.yyy.yyy.yyy.12020 1158 1168092 CON 1975618. 45571.41 1929100. 1168092 
2009-12-03 18:10:12.665753 e tcp xxx.xxx.xxx.xxx.55054 -> yyy.yyy.yyy.yyy.12020 4255 4247654 CON 2299767. 53823.88 6988820. 4247654 
2009-12-03 18:11:12.368370 e tcp xxx.xxx.xxx.xxx.55119 -> yyy.yyy.yyy.yyy.12020 1338 1336652 CON 2139327. 49779.52 2088657. 1336652 

$ racluster -nr fw?.03* -s +load +sload +dload +bytes - port 12020 and host yyy.yyy.yyy.yyy and bytes gt 1500000 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100312/4c177839/attachment.html>


More information about the argus mailing list