grouping incoming http requests by subnet?

Carter Bullard carter at qosient.com
Thu Jan 31 11:45:15 EST 2013 

Yes ratop() can do this, but it will be continuous, not periodic.
Just pass the same flow model to ratop, either on the command line, or using the ":m" command.
This works:

   ratop -S localhost -m saddr/24 daddr/24 proto -s +2trans - tcp and port 80

WIth a .rarc that sorts by trans, you're in business, but to change the sort alg, just use the ":s" command.

However, ratop() is a simple accumulator, so it will just keep aggregating.
Getting it to do a windowed aggregation, will require just a little bit of modification.

Carter

On Jan 31, 2013, at 11:37 AM, Jesse Bowling <jessebowling at gmail.com> wrote:

> That works like a champ (to generate a single minute's output):
> 
> # grep STATUS /etc/argus.conf 
> # ARGUS_FLOW_STATUS_INTERVAL seconds, as long as there is
> ARGUS_FLOW_STATUS_INTERVAL=5
> 
> # rabins -S 10.10.10.10:561 -B 10s -M time 1m -m saddr/24 daddr/24 proto -w - - tcp and port 80 |rasort -m trans -N 25 -s stime dur trans saddr dir daddr spkts dpkts sbytes dbytes
> <snip for output>
> 
> So could this sort of data be replicated in ratop? I imagine if one wants to look at this data regularly, one would want more than a minutes worth... :)
> 
> Cheers,
> 
> Jesse
> 
> 
> On Thu, Jan 31, 2013 at 11:22 AM, Carter Bullard <carter at qosient.com> wrote:
> Hmmm, my fault, I left out the -B option.  Try adding a -B 10s, assuming your
> argus record status time is 5-10 seconds ?
> 
> Sorry about that.
> Carter
> 
> 
> On Jan 31, 2013, at 10:31 AM, Jesse Bowling <jessebowling at gmail.com> wrote:
> 
>> I'm unable to get either of these incantations to generate output...The programs start, but don't ever generate output.
>> 
>> # rabins --help
>> Rabins Version 3.0.7.3
>> 
>> 
>> # time rabins -S 10.9.12.20:561 -M time 1m -m saddr/24 daddr/24 proto -w - - tcp and port 80 |rasort -m trans -N 25 -s stime dur trans saddr dir daddr spkts dpkts sbytes dbytes
>> ^C                                              
>> real    4m15.894s
>> user    0m2.300s
>> sys     0m0.813s
>> 
>> What am I missing?
>> 
>> On Thu, Jan 31, 2013 at 9:50 AM, James A. Robinson <jim.robinson at gmail.com> wrote:
>> On Thu, Jan 31, 2013 at 6:24 AM, Carter Bullard <carter at qosient.com> wrote:
>> > If you want a periodic report of this type of data from a live stream, use rabins()
>> > to aggregate over your time interval.  To generate aggregate CIDR web traffic output every
>> > 60 seconds, for example:
>> >
>> >    rabins -S localhost:9601 -M time 1m -m saddr/24 daddr/24 proto - tcp and port 80
>> >
>> > Every 60 seconds, rabins will dump its clustered cache of port 80 TCP connections.
>> > You can pipe that output to something like " ra - trans gt 50 ", and you'll get the list of
>> > flows that exceed your threshold.  You can set the RA_SORT_ALGORITHMS value
>> > to have your rabins() sort on the "trans" field, or you can pipe the output to rasort(),
>> > then you can watch the top N for comparisons, etc....
>> >
>> >
>> >    rabins -S localhost:9601 -M time 1m -m saddr/24 daddr/24 -w - - tcp and port 80 | \
>> >       rasort -m trans -No 25 -s stime dur trans saddr dir daddr spkts dpkts sbytes dbytes
>> >
>> > This may get you close.
>> 
>> Very nice, thank you.  I'll start playing around with these examples.
>> 
>> Jim
>> 
>> 
>> 
>> -- 
>> Jesse Bowling
>> 
> 
> 
> 
> 
> -- 
> Jesse Bowling
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130131/8d924040/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2589 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130131/8d924040/attachment.bin>

More information about the argus mailing list