grouping incoming http requests by subnet?
James A. Robinson
jim.robinson at gmail.com
Thu Jan 31 12:55:48 EST 2013
On Thu, Jan 31, 2013 at 8:22 AM, Carter Bullard <carter at qosient.com> wrote:
> Hmmm, my fault, I left out the -B option. Try adding a -B 10s, assuming
> your argus record status time is 5-10 seconds ?
I'm sorry for what may be silly question, but what does -B do? I've worked
through the manpages to break down your example, and I don't see -B listed
in either ra(1) or rabins(1), is there a 3rd manpage I ought to be
referring to?
Jim
Example #1:
rabins -S localhost:9601 -B 10s -M time 1m -m saddr/24 daddr/24 -w - - tcp
and port 80 | \
rasort -m trans -N 25 -s stime dur trans saddr dir daddr spkts dpkts
sbytes dbytes
rabins -- reads argus data from a source and adjust the data so that
it is aligned into a set of bins, or slots.
-S localhost:9601 -- read from the specified remote source
-B 10s -- ?record status time option of some sort?
-M time 1m -- split into 1 minute bins
-m saddr/24 -- aggregate on source address class C network
-w - -- stream output data to stdout
- tcp and port 80 -- only aggregate TCP packets arriving on port 80
rasort -- sort argus data
-m trans -- sort by aggreation record count
-N 25 -- process the first 25 records
-s stime dur tran saddr dir daddr spkts dkpts sbytes dbytes
-- report output fields
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130131/dc37d07b/attachment.html>
More information about the argus
mailing list