grouping incoming http requests by subnet?

Jesse Bowling jessebowling at gmail.com
Thu Jan 31 10:31:47 EST 2013


I'm unable to get either of these incantations to generate output...The
programs start, but don't ever generate output.

# rabins --help
Rabins Version 3.0.7.3


# time rabins -S 10.9.12.20:561 -M time 1m -m saddr/24 daddr/24 proto -w -
- tcp and port 80 |rasort -m trans -N 25 -s stime dur trans saddr dir daddr
spkts dpkts sbytes dbytes
^C
real    4m15.894s
user    0m2.300s
sys     0m0.813s

What am I missing?

On Thu, Jan 31, 2013 at 9:50 AM, James A. Robinson
<jim.robinson at gmail.com>wrote:

> On Thu, Jan 31, 2013 at 6:24 AM, Carter Bullard <carter at qosient.com>
> wrote:
> > If you want a periodic report of this type of data from a live stream,
> use rabins()
> > to aggregate over your time interval.  To generate aggregate CIDR web
> traffic output every
> > 60 seconds, for example:
> >
> >    rabins -S localhost:9601 -M time 1m -m saddr/24 daddr/24 proto - tcp
> and port 80
> >
> > Every 60 seconds, rabins will dump its clustered cache of port 80 TCP
> connections.
> > You can pipe that output to something like " ra - trans gt 50 ", and
> you'll get the list of
> > flows that exceed your threshold.  You can set the RA_SORT_ALGORITHMS
> value
> > to have your rabins() sort on the "trans" field, or you can pipe the
> output to rasort(),
> > then you can watch the top N for comparisons, etc....
> >
> >
> >    rabins -S localhost:9601 -M time 1m -m saddr/24 daddr/24 -w - - tcp
> and port 80 | \
> >       rasort -m trans -No 25 -s stime dur trans saddr dir daddr spkts
> dpkts sbytes dbytes
> >
> > This may get you close.
>
> Very nice, thank you.  I'll start playing around with these examples.
>
> Jim
>



-- 
Jesse Bowling
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130131/b360261a/attachment.html>


More information about the argus mailing list