grouping incoming http requests by subnet?
Dave Edelman
dedelman at iname.com
Thu Jan 31 00:06:30 EST 2013
The -r <datasource> option is going to try reading from a file. I went a caught a thousand wild packet I have radium running on the same box and its connection port is 9012
ra -S localhost:9601 -w testAll.arg -N 1000
and then I sent them through racluster which can also do the filtering. I don’t really think that you want to use rmon mode or both your source and destination subnets are going to appear as source addresses.
racluster -m saddr/24 -r testAll.arg - tcp and port 80
StartTime Flgs Proto TcpOpt SrcAddr Sport Dir DstAddr Dport State Trans TotPkts TotBytes
Thu 2013-01-31 04:51:44.612 Ne tcp 10.36.155.0/24.0 -> 192.0.0.0/5.80 REQ 2 6 288
Thu 2013-01-31 04:51:43.484 Ne tcp 10.96.144.0/24.0 -> 192.0.0.0/5.80 REQ 2 6 288
Thu 2013-01-31 04:51:53.400 Ne tcp 10.212.129.0/24.1490 -> 164.2.55.119.80 REQ 1 1 44
Thu 2013-01-31 04:51:43.340 Ne tcp 10.233.51.0/24.0 -> 192.0.0.0/5.80 REQ 9 27 1296
Thu 2013-01-31 04:51:42.696 Ne tcp 10.233.52.0/24.0 -> 192.0.0.0/5.80 REQ 4 12 576
Thu 2013-01-31 04:51:42.368 Ne tcp 10.233.53.0/24.0 -> 192.0.0.0/5.80 REQ 8 24 1152
Thu 2013-01-31 04:51:44.480 Ne tcp 10.233.54.0/24.0 -> 192.0.0.0/5.80 RST 3 10 504
Thu 2013-01-31 04:51:42.556 Ne tcp 10.233.65.0/24.0 -> 192.0.0.0/5.80 REQ 12 36 1728
Thu 2013-01-31 04:51:43.752 Ne tcp 10.233.66.0/24.0 -> 192.0.0.0/5.80 REQ 6 18 864
Thu 2013-01-31 04:51:46.240 Ne tcp 10.233.69.0/24.0 -> 192.0.0.0/5.80 REQ 2 6 288
Thu 2013-01-31 04:51:44.776 Ne tcp 10.233.72.0/24.0 -> 192.0.0.0/5.80 REQ 2 6 360
Thu 2013-01-31 04:51:44.288 Ne tcp 10.233.74.0/24.0 -> 192.0.0.0/5.80 REQ 2 6 288
Thu 2013-01-31 04:51:44.300 Ne tcp 10.233.76.0/24.0 -> 192.0.0.0/5.80 REQ 14 42 2016
Thu 2013-01-31 04:51:43.656 Ne tcp 10.233.96.0/24.0 -> 192.0.0.0/5.80 REQ 9 27 1296
Thu 2013-01-31 04:51:42.844 Ne tcp 10.233.99.0/24.0 -> 192.0.0.0/5.80 REQ 4 12 576
Thu 2013-01-31 04:51:43.208 Ne tcp 10.233.100.0/24.0 -> 192.0.0.0/5.80 REQ 2 6 288
Thu 2013-01-31 04:51:42.672 Ne tcp 10.233.101.0/24.0 -> 192.0.0.0/5.80 REQ 8 24 1152
Thu 2013-01-31 04:51:44.064 Ne tcp 10.233.102.0/24.0 -> 192.0.0.0/5.80 REQ 4 12 576
Thu 2013-01-31 04:51:42.408 Ne tcp 10.233.103.0/24.0 -> 192.0.0.0/5.80 REQ 6 18 864
Thu 2013-01-31 04:51:42.504 Ne tcp 10.233.105.0/24.0 -> 192.0.0.0/5.80 REQ 12 36 1728
Thu 2013-01-31 04:51:46.844 Ne tcp 10.233.106.0/24.0 -> 192.0.0.0/5.80 REQ 2 6 288
Thu 2013-01-31 04:51:44.368 Ne tcp 10.233.116.0/24.0 -> 192.0.0.0/5.80 REQ 2 6 288
Thu 2013-01-31 04:51:42.788 Ne tcp 10.233.117.0/24.0 -> 192.0.0.0/5.80 REQ 2 6 288
Thu 2013-01-31 04:51:42.652 Ne tcp 10.233.118.0/24.0 -> 192.0.0.0/5.80 REQ 4 12 576
Thu 2013-01-31 04:51:42.860 Ne tcp 10.233.119.0/24.0 -> 192.0.0.0/5.80 REQ 2 6 288
Thu 2013-01-31 04:51:42.824 Ne tcp 10.233.120.0/24.0 -> 192.0.0.0/5.80 REQ 2 6 288
Thu 2013-01-31 04:51:43.092 Ne tcp 10.233.121.0/24.0 -> 192.0.0.0/5.80 REQ 8 24 1152
Thu 2013-01-31 04:51:43.184 Ne tcp 10.233.122.0/24.0 -> 192.0.0.0/5.80 REQ 4 12 576
Thu 2013-01-31 04:51:42.524 Ne tcp 10.233.123.0/24.0 -> 192.0.0.0/5.80 REQ 6 18 864
Thu 2013-01-31 04:51:43.160 Ne tcp 10.233.124.0/24.0 -> 192.0.0.0/5.80 REQ 8 24 1152
Thu 2013-01-31 04:51:42.724 Ne tcp 10.233.125.0/24.0 -> 192.0.0.0/5.80 REQ 6 18 864
Thu 2013-01-31 04:51:42.484 Ne tcp 10.233.127.0/24.0 -> 192.0.0.0/5.80 REQ 6 18 864
Thu 2013-01-31 04:51:43.324 Ne tcp 10.233.128.0/24.0 -> 192.0.0.0/5.80 REQ 12 36 1728
Thu 2013-01-31 04:51:43.936 Ne tcp 10.233.129.0/24.0 -> 192.0.0.0/5.80 REQ 2 6 288
Thu 2013-01-31 04:51:42.664 Ne tcp 10.233.131.0/24.0 -> 192.0.0.0/5.80 REQ 12 36 1728
Thu 2013-01-31 04:51:42.612 Ne tcp 10.233.132.0/24.0 -> 192.0.0.0/5.80 REQ 10 30 1440
Thu 2013-01-31 04:51:43.548 Ne tcp 10.233.134.0/24.0 -> 192.0.0.0/5.80 REQ 6 18 864
Thu 2013-01-31 04:51:43.076 Ne tcp 10.233.136.0/24.0 -> 192.0.0.0/5.80 REQ 2 6 288
Thu 2013-01-31 04:51:45.224 Ne tcp 10.233.137.0/24.0 -> 192.0.0.0/5.80 REQ 4 12 576
--Dave
> -----Original Message-----
> From: argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu
> [mailto:argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu]
> On Behalf Of James A. Robinson
> Sent: Wednesday, January 30, 2013 8:13 PM
> To: argus-info at lists.andrew.cmu.edu
> Subject: [ARGUS] grouping incoming http requests by subnet?
>
> Hi folks,
>
> I'm just starting to use argus, and I'd like to ask if the following is on the right
> track for generating reports on incoming HTTP requests by ip address
> network.
>
> We deal with crawlers from the big indexers, and would like a way to start
> generating summaries of the count of incoming requests by network.
>
> Is something like the following on the right track?
>
> argus -r <datasource> -w - | ra -w - tcp port 80 | racluster -M rmon -m
> saddr/24 - ip
>
> My intent was to filter by traffic to port 80, and to group it by the class C
> network for each IP.
>
> Jim
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130131/12378171/attachment.html>
More information about the argus
mailing list