Need some help writing "simple" query
David Edelman
dedelman at iname.com
Wed Sep 26 01:37:17 EDT 2012
You need to add a few things to the racluster criteria and that will make
things look a bit different. Try this:
racluster -m daddr dport -r argus.14.00.00.arg3 -w - - ip | rasort -m bytes
-s daddr dport bytes | head -5
This will aggregate the byte count for each destination address and
destination port combination. The -s parameter in the resort invocation will
print the address, port, and byte count with the output sorted by the
aggregated byte count for that pair. And racluster will only work with ip
data so no DECnet, SNA, Arcnet or similar need apply. Though you might want
to either change that to tcp or leave it as ip and add the protocol to the
selection so you see by protocol by address by port data. Just all proto to
the racluster -m parameter and to the resort -s parameter. I added some
field width modifiers to the s parameter to make it easier to read and
prevent truncation.
anondata $ racluster -m daddr dport -r anonargus.2012.05.07.21.00.00.0.gz
-w - - tcp | rasort -m bytes -s daddr:20 dport:20 bytes:10 | head -30
DstAddr Dport TotBytes
1.0.2.1.https 32318731
1.0.1.2.63633 243561
100.0.2.1.https 32770
197.0.4.1.https 25776
197.0.4.2.https 21258
1.0.1.2.63632 4212
1.0.2.4.https 2832
1.0.1.2.64914 2760
1.0.2.2.https 1452
1.0.3.1.15734 1446
1.0.1.2.63634 1380
1.0.3.1.16844 1068
1.0.3.1.15852 1068
1.0.3.1.15876 1068
1.0.3.1.15993 1068
1.0.3.1.17261 1068
1.0.3.1.16117 1068
1.0.3.1.16179 1068
1.0.3.1.16232 1068
1.0.3.1.17130 1068
1.0.3.1.16973 1068
1.0.3.1.18837 1068
1.0.3.1.17953 1068
1.0.3.1.17705 1068
1.0.3.1.17534 990
1.0.3.1.15552 990
1.0.3.1.15543 990
1.0.3.1.15532 990
1.0.3.1.18323 990
anondata $ racluster -m proto daddr dport -r
anonargus.2012.05.07.21.00.00.0.gz -w - - ip | rasort -m bytes -s proto:15
daddr:20 dport:20 bytes:10 | head 30
Proto DstAddr Dport TotBytes
tcp 1.0.2.1.https 32318731
tcp 1.0.1.2.63633 243561
udp 224.0.0.2.19827 200833
udp ff02::fb.19827 196512
ipv6-icmp ff02::1.0 69230
tcp 100.0.2.1.https 32770
udp ff02::1:2.dhcpv6-server 31066
udp 1.0.1.255.ipp 29232
udp 224.0.3.1.16374 28220
tcp 197.0.4.1.https 25776
ipv6-icmp ff02::16.0 21370
tcp 197.0.4.2.https 21258
udp 1.0.1.255.netbios-ns 17480
udp 197.0.1.255.bootps 15048
udp 1.0.6.1.domain 10050
tcp 1.0.1.2.63632 4212
ipv6-icmp ff02::2.0 3014
udp ff02::c.18176 2856
tcp 1.0.2.4.https 2832
udp 224.0.3.1.18176 2776
tcp 1.0.1.2.64914 2760
ipv6-icmp ff02::1:ff0f:6c68.0 2124
udp 1.0.1.1.domain 1992
udp 1.0.8.1.domain 1992
udp 1.0.7.1.domain 1992
udp 197.0.1.255.bootpc 1770
igmp 1.0.4.1 1680
igmp 224.0.0.2 1620
udp 1.0.1.255.netbios-dgm 1568
--Dave
On 9/25/12 10:27 PM, "Slacker T" <slackert at gmail.com> wrote:
> Hello,
>
> I'm trying to tie argus into our alerting system. The goal is to take
> a snapshot of current usage when certain firewall/switch interfaces
> exceed a threshold. I'm having difficulty writing a proper command to
> get the information I'm looking for. I'd like to be able to show the
> top talkers for a given period of time based first on total amount
> downloaded, uploaded, both, or a total of both. Then from that list
> I'd like to take the IP and show similar information broken up across
> L4 ports (total amount downloaded, uploaded, both, or a total of
> both).
>
> I've gone through the man pages and nsmwiki and I'm a bit overwhelmed.
> I'm excited by the granularity of detail argus can provide, and how
> easy it is to keep a historical record of traffic, but the learning
> curve seems quite steep. I'm thinking that racluster and rasort is
> where I need to focus on, but I'm having trouble getting the info I'm
> looking for.
>
> Somewhat relevant info:
> I'm collecting argus data from a SPAN port with the following command:
> argus -mAJZRU 1024 -i eth3 -P561 -B 127.0.0.1 -w /argus/argus.log -d
>
> I use rasplit to give me 5 minute chunks to work with (I've got a
> script that does some log rotation, but this is the core of it):
> /usr/bin/rasplit -r $DATADIR/argus.log-to_be_archived -M time 5m -w
> $DATADIR'/archive/%Y/%m/%d/argus.%H.%M.%S.arg3'
>
> # argus --version
> Argus Version 3.0.4
>
> This is about as far as I have got, if I understand correctly this
> uses racluster to total the bytes used by the source addresses in the
> argus.14.00.00.arg3 source, then filter out only the IP records and
> pipe them to rasort. Rasort sorts on bytes and prints the source
> address and byte count..then head shows the top 5.
>
> racluster -m saddr -r argus.14.00.00.arg3 -w - - ip | rasort -m bytes
> -s saddr bytes | head -n 5
> 10.210.20.214 50509905
> 10.210.21.33 49000815
> 10.210.20.110 48677815
> 10.210.21.4 37675239
> 192.168.100.159 33097697
> ...
>
> If I'm on the right path, great, if not, what am I doing wrong? How do
> I get the byte count to show per port and per destination IP?
>
> Thanks!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120926/d8e1aa41/attachment.html>
More information about the argus
mailing list