grouping incoming http requests by subnet?

Jesse Bowling jessebowling at gmail.com
Thu Jan 31 11:37:00 EST 2013 

That works like a champ (to generate a single minute's output):

# grep STATUS /etc/argus.conf
# ARGUS_FLOW_STATUS_INTERVAL seconds, as long as there is
ARGUS_FLOW_STATUS_INTERVAL=5

# rabins -S 10.10.10.10:561 -B 10s -M time 1m -m saddr/24 daddr/24 proto -w
- - tcp and port 80 |rasort -m trans -N 25 -s stime dur trans saddr dir
daddr spkts dpkts sbytes dbytes
<snip for output>

So could this sort of data be replicated in ratop? I imagine if one wants
to look at this data regularly, one would want more than a minutes worth...
:)

Cheers,

Jesse


On Thu, Jan 31, 2013 at 11:22 AM, Carter Bullard <carter at qosient.com> wrote:

> Hmmm, my fault, I left out the -B option.  Try adding a -B 10s, assuming
> your
> argus record status time is 5-10 seconds ?
>
> Sorry about that.
> Carter
>
>
> On Jan 31, 2013, at 10:31 AM, Jesse Bowling <jessebowling at gmail.com>
> wrote:
>
> I'm unable to get either of these incantations to generate output...The
> programs start, but don't ever generate output.
>
> # rabins --help
> Rabins Version 3.0.7.3
>
>
> # time rabins -S 10.9.12.20:561 -M time 1m -m saddr/24 daddr/24 proto -w
> - - tcp and port 80 |rasort -m trans -N 25 -s stime dur trans saddr dir
> daddr spkts dpkts sbytes dbytes
> ^C
> real    4m15.894s
> user    0m2.300s
> sys     0m0.813s
>
> What am I missing?
>
> On Thu, Jan 31, 2013 at 9:50 AM, James A. Robinson <jim.robinson at gmail.com
> > wrote:
>
>> On Thu, Jan 31, 2013 at 6:24 AM, Carter Bullard <carter at qosient.com>
>> wrote:
>> > If you want a periodic report of this type of data from a live stream,
>> use rabins()
>> > to aggregate over your time interval.  To generate aggregate CIDR web
>> traffic output every
>> > 60 seconds, for example:
>> >
>> >    rabins -S localhost:9601 -M time 1m -m saddr/24 daddr/24 proto - tcp
>> and port 80
>> >
>> > Every 60 seconds, rabins will dump its clustered cache of port 80 TCP
>> connections.
>> > You can pipe that output to something like " ra - trans gt 50 ", and
>> you'll get the list of
>> > flows that exceed your threshold.  You can set the RA_SORT_ALGORITHMS
>> value
>> > to have your rabins() sort on the "trans" field, or you can pipe the
>> output to rasort(),
>> > then you can watch the top N for comparisons, etc....
>> >
>> >
>> >    rabins -S localhost:9601 -M time 1m -m saddr/24 daddr/24 -w - - tcp
>> and port 80 | \
>> >       rasort -m trans -No 25 -s stime dur trans saddr dir daddr spkts
>> dpkts sbytes dbytes
>> >
>> > This may get you close.
>>
>> Very nice, thank you.  I'll start playing around with these examples.
>>
>> Jim
>>
>
>
>
> --
> Jesse Bowling
>
>
>


-- 
Jesse Bowling
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130131/0bf746ff/attachment.html>

More information about the argus mailing list