grouping incoming http requests by subnet?

Carter Bullard carter at qosient.com
Thu Jan 31 09:24:24 EST 2013 

Print out the " trans " field, (transactions) to see how many records were merged together to
generate the output.   You can use that value for your threshold.

If you want a periodic report of this type of data from a live stream, use rabins()
to aggregate over your time interval.  To generate aggregate CIDR web traffic output every
60 seconds, for example:

   rabins -S localhost:9601 -M time 1m -m saddr/24 daddr/24 proto - tcp and port 80

Every 60 seconds, rabins will dump its clustered cache of port 80 TCP connections.
You can pipe that output to something like " ra - trans gt 50 ", and you'll get the list of
flows that exceed your threshold.  You can set the RA_SORT_ALGORITHMS value
to have your rabins() sort on the "trans" field, or you can pipe the output to rasort(),
then you can watch the top N for comparisons, etc....


   rabins -S localhost:9601 -M time 1m -m saddr/24 daddr/24 -w - - tcp and port 80 | \
      rasort -m trans -No 25 -s stime dur trans saddr dir daddr spkts dpkts sbytes dbytes

This may get you close.

Carter


On Jan 31, 2013, at 1:25 AM, James A. Robinson <jim.robinson at gmail.com> wrote:

> On Wed, Jan 30, 2013 at 9:06 PM, Dave Edelman <dedelman at iname.com> wrote:
>> The -r <datasource> option is going to try reading from a file. I went a
>> caught a thousand wild packet I have radium running on the same box and its
>> connection port is 9012
>> 
>> ra -S localhost:9601 -w testAll.arg -N 1000
>> 
>> and then I sent them through racluster which can also do the filtering. I
>> don’t really think that you want to use rmon mode or both your source and
>> destination subnets are going to appear as source addresses.
>> 
>> racluster  -m saddr/24 -r testAll.arg - tcp and port 80
> 
> Ah, thank you for pointing out that I can combine the filtering
> with racluster, w/o needing an additional filter in the pipeline.
> 
> Ok, so -m saddr/24 is going to do what I thought, roll up the
> traffic from multiple ips sharing the same class C, cool.
> 
> Jim
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2589 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130131/08c500ec/attachment.bin>

More information about the argus mailing list