grouping incoming http requests by subnet?
James A. Robinson
jim.robinson at gmail.com
Thu Jan 31 09:50:06 EST 2013
On Thu, Jan 31, 2013 at 6:24 AM, Carter Bullard <carter at qosient.com> wrote:
> If you want a periodic report of this type of data from a live stream, use rabins()
> to aggregate over your time interval. To generate aggregate CIDR web traffic output every
> 60 seconds, for example:
>
> rabins -S localhost:9601 -M time 1m -m saddr/24 daddr/24 proto - tcp and port 80
>
> Every 60 seconds, rabins will dump its clustered cache of port 80 TCP connections.
> You can pipe that output to something like " ra - trans gt 50 ", and you'll get the list of
> flows that exceed your threshold. You can set the RA_SORT_ALGORITHMS value
> to have your rabins() sort on the "trans" field, or you can pipe the output to rasort(),
> then you can watch the top N for comparisons, etc....
>
>
> rabins -S localhost:9601 -M time 1m -m saddr/24 daddr/24 -w - - tcp and port 80 | \
> rasort -m trans -No 25 -s stime dur trans saddr dir daddr spkts dpkts sbytes dbytes
>
> This may get you close.
Very nice, thank you. I'll start playing around with these examples.
Jim
More information about the argus
mailing list