Huge argus files and racluster

Marco listaddr at gmail.com
Fri Feb 10 04:30:56 EST 2012 

Il 09 febbraio 2012 23:14, Peter Van Epp <vanepp at sfu.ca> ha scritto:
> On Thu, Feb 09, 2012 at 10:46:39AM +0100, Marco wrote:
> <snip>
>>
>> I had tried that indeed, but I thought that one could do it "on the
>> fly" (ie, just add "-M rmon" to the client, and add a filter on
>> src/dst/etc in the same command), while it turns out that you have to
>> explicitly write a new argus file from the -M rmon output, and then
>> run subsequent commands on that new file. It even looks like you don't
>> need the MAC information, at least in the few tests I've done so far.
>>
>> Thanks!
>
>        I believe that the clients (unlike the perl scripts) do need to write
> the rmon data to a file first then process that (presumably a quirk in when
> filtering takes place although I haven't looked). You will need to filter
> either on MAC or an address range to tie the argus data to direction on the
> wire correctly though. Argus treats the source as whoever started the
> connection without regard to direction on the wire and thus sometimes that
> direction will be wrong unless it is tied to something (such as the gateway
> MAC) that is tied to direction on the wire. Good luck!

Yes, I am indeed filtering on an IP address range. For the benefit of
whoever may be reading this in the future, here's a simple
explanation.

In the "normal" argus file I have flows like:

src dst  sbytes  dbytes
X   Y    100       200
Z   X    200        100

Where "X" is a host in the network for which I want to measure
bandwidth. A normal "sbytes dbytes" graph would tell me that 300 bytes
were sent in each direction (graphed over time), which is correct from
argus' point of view but does not reflect the actual bandwidth usage.
So I created a new file with -M rmon which thus looks like

src dst  sbytes  dbytes
X   Y    100       200
Y   X    200       100
Z   X    200        100
X   Z    100        200

Then using a simple "ragraph sbytes dbytes .... - src host X" on the
rmon file matches only the first and last record, and tells me that X
sent 200 and received 400, which is correct. Of course in the actual
data I don't have a single host "X" but rather a group of hosts whose
IPs are in a specific range, but that's just a matter of using a
filter like ".... - src net 192.168.44.0/24" when processing the file.
Seems to work fine so far.

Thanks again for pointing me in the right direction.

More information about the argus mailing list