racluster, rmon and filters

Carter Bullard carter at qosient.com
Wed Jun 15 21:17:31 EDT 2011 

Hey Rafael,
This is expected.  ra* program filters are applied on input, before any processing (such as
the "-M rmon" processing) occurs.  With your filter, you end up selecting records where
the src was from the 192.16.0.0/16 network, but nothing is said about the dst addresses.
The "-M rmon" option then promotes all the IP addresses seen (including dst addrs) from
the resulting flows, to the saddr field for processing, which racluster() then faithfully tracks.

Because the "-M rmon" option works for all ra* programs, this maybe a better strategy:

   ra -M rmon -r flows.argus -w - - ip | racluster -m saddr - src net 192.168.0.0/16

The first ra() duplicates only ip flow records, swapping all the identifiers.  This moves
the IP addresses from all the ip flows into the saddr field.  The racluster() then selects
only the flows with src addrs in the 192.168.0.0/16 network for processing.

The second racluster() DOES NOT use the "-M rmon" option.  This is very important.

For racluster() to provide the answer you were expecting, racluster() would need to apply
its filter to flow records after the "-M rmon" processing was done, which is a different data
flow from all the other ra* programs.

Carter

On Jun 15, 2011, at 4:33 AM, Rafael Barbosa wrote:

> Hi all,
> 
> I am trying to generate statistics per source address with the option -M rmon. However I am interested only in the address from a specific network, let's say 192.168.0.0/16. So I tried:
> $ racluster -M rmon -m saddr -r flows.argus- 'ip and src net 192.168.0.0/16'
> 
> To my surprise I have many rows that are not from 192.16.0.0/16. However if I run:
> $ racluster -M rmon -m saddr -r flows.argus -w - | ra - 'ip and src net 192.168.0.0/16'
> I seem to get the expected results.
> 
> Am I missing something?
> 
> Rafael Barbosa
> http://www.vf.utwente.nl/~barbosarr/
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20110615/6ec35358/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4367 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20110615/6ec35358/attachment.bin>

More information about the argus mailing list