Huge argus files and racluster

Carter Bullard carter at qosient.com
Fri Feb 10 12:23:05 EST 2012 

Hey Marco,
The "rmon" concept is a bit tricky, glad to see that you're getting it.
If you run into issues, don't hesitate to send to the list.

Carter

On Feb 10, 2012, at 4:30 AM, Marco wrote:

> Il 09 febbraio 2012 23:14, Peter Van Epp <vanepp at sfu.ca> ha scritto:
>> On Thu, Feb 09, 2012 at 10:46:39AM +0100, Marco wrote:
>> <snip>
>>> 
>>> I had tried that indeed, but I thought that one could do it "on the
>>> fly" (ie, just add "-M rmon" to the client, and add a filter on
>>> src/dst/etc in the same command), while it turns out that you have to
>>> explicitly write a new argus file from the -M rmon output, and then
>>> run subsequent commands on that new file. It even looks like you don't
>>> need the MAC information, at least in the few tests I've done so far.
>>> 
>>> Thanks!
>> 
>>        I believe that the clients (unlike the perl scripts) do need to write
>> the rmon data to a file first then process that (presumably a quirk in when
>> filtering takes place although I haven't looked). You will need to filter
>> either on MAC or an address range to tie the argus data to direction on the
>> wire correctly though. Argus treats the source as whoever started the
>> connection without regard to direction on the wire and thus sometimes that
>> direction will be wrong unless it is tied to something (such as the gateway
>> MAC) that is tied to direction on the wire. Good luck!
> 
> Yes, I am indeed filtering on an IP address range. For the benefit of
> whoever may be reading this in the future, here's a simple
> explanation.
> 
> In the "normal" argus file I have flows like:
> 
> src dst  sbytes  dbytes
> X   Y    100       200
> Z   X    200        100
> 
> Where "X" is a host in the network for which I want to measure
> bandwidth. A normal "sbytes dbytes" graph would tell me that 300 bytes
> were sent in each direction (graphed over time), which is correct from
> argus' point of view but does not reflect the actual bandwidth usage.
> So I created a new file with -M rmon which thus looks like
> 
> src dst  sbytes  dbytes
> X   Y    100       200
> Y   X    200       100
> Z   X    200        100
> X   Z    100        200
> 
> Then using a simple "ragraph sbytes dbytes .... - src host X" on the
> rmon file matches only the first and last record, and tells me that X
> sent 200 and received 400, which is correct. Of course in the actual
> data I don't have a single host "X" but rather a group of hosts whose
> IPs are in a specific range, but that's just a matter of using a
> filter like ".... - src net 192.168.44.0/24" when processing the file.
> Seems to work fine so far.
> 
> Thanks again for pointing me in the right direction.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4367 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120210/7f0659a2/attachment.bin>

More information about the argus mailing list