Need some help writing "simple" query

Slacker T slackert at gmail.com
Tue Sep 25 18:27:02 EDT 2012 

Hello,

I'm trying to tie argus into our alerting system. The goal is to take
a snapshot of current usage when certain firewall/switch interfaces
exceed a threshold. I'm having difficulty writing a proper command to
get the information I'm looking for. I'd like to be able to show the
top talkers for a given period of time based first on total amount
downloaded, uploaded, both, or a total of both. Then from that list
I'd like to take the IP and show similar information broken up across
L4 ports (total amount downloaded, uploaded, both, or a total of
both).

I've gone through the man pages and nsmwiki and I'm a bit overwhelmed.
I'm excited by the granularity of detail argus can provide, and how
easy it is to keep a historical record of traffic, but the learning
curve seems quite steep. I'm thinking that racluster and rasort is
where I need to focus on, but I'm having trouble getting the info I'm
looking for.

Somewhat relevant info:
I'm collecting argus data from a SPAN port with the following command:
argus -mAJZRU 1024 -i eth3 -P561 -B 127.0.0.1 -w /argus/argus.log -d

I use rasplit to give me 5 minute chunks to work with (I've got a
script that does some log rotation, but this is the core of it):
/usr/bin/rasplit -r $DATADIR/argus.log-to_be_archived -M time 5m -w
$DATADIR'/archive/%Y/%m/%d/argus.%H.%M.%S.arg3'

# argus --version
Argus Version 3.0.4

This is about as far as I have got, if I understand correctly this
uses racluster to total the bytes used by the source addresses in the
argus.14.00.00.arg3 source, then filter out only the IP records and
pipe them to rasort. Rasort sorts on bytes and prints the source
address and byte count..then head shows the top 5.

racluster -m saddr -r argus.14.00.00.arg3 -w - - ip | rasort -m bytes
-s saddr bytes | head -n 5
     10.210.20.214   50509905
      10.210.21.33   49000815
     10.210.20.110   48677815
       10.210.21.4   37675239
   192.168.100.159   33097697
...

If I'm on the right path, great, if not, what am I doing wrong? How do
I get the byte count to show per port and per destination IP?

Thanks!

More information about the argus mailing list