Argus TopN
Keir Novik
novik at sfu.ca
Mon Sep 6 16:15:16 EDT 2010
What's the best way to do a TopN report (bytes per IP address) in Argus 3? In Argus 2 I would do
$ ramon -M TopN -n -s bytes -r file |head
StartTime Addr InPkt OutPkt InBytes OutBytes
2005-04-11 08:17:13 197.0.1.1 816971 395562 1132802297 22705854
2005-04-11 10:17:15 1.0.12.15 28536 61199 1543399 85490108
2005-04-11 09:30:06 1.0.12.5 25119 52212 1358400 73443503
2005-04-11 09:56:37 1.0.12.11 21878 45413 1182885 63713137
2005-04-11 10:39:30 1.0.12.19 22040 44806 1191633 63260385
2005-04-11 09:24:27 1.0.12.4 15251 30746 824536 43076452
2005-04-11 08:55:28 1.0.12.1 16233 30346 877564 42943674
2005-04-11 10:06:41 1.0.12.13 14598 30647 789762 42933338
2005-04-11 09:38:26 1.0.12.8 14286 30553 772436 42723656
In Argus 3, the thoughts I've had are
(a) use "racount - host a.b.c.d" for each IP address in turn, which is fine for a few IP addresses but doesn't scale, or
(b) use "racluster -m daddr - dst net a.b.c.d/e", "racluster -m saddr - src net a.b.c.d/e", and write a script of my own to add up the results.
but is there a better way?
Regards,
Keir
More information about the argus
mailing list