grouping incoming http requests by subnet?

Jesse Bowling jessebowling at gmail.com
Thu Jan 31 13:07:01 EST 2013 

For that you have to hit the PDF manuals on the quosient site:

  The second output mode, has rabins writing out the contents of individual
sorted bins, periodically based on a holding time, specified using the -B
secs option.

rabins 3.0.6 12 August 2003 1

RABINS(1) RABINS(1)

The secs value should be chosen such that rabins will have seen all the
appropriate incoming data for that time period. This is determined by the
ARGUS_FLOW_STATUS_INTERVAL used by the collection of argus data sources in
the input data stream, as well as any time drift that may exist amoung
argus data pro- cessin elements. When there is good time sync, and with an
ARGUS_FLOW_STATUS_INTERVAL of 5 seconds, appropriate secs values are
between 5-15 seconds.
  http://qosient.com/argus/man/man1/rabins.1.pdf

Cheers,

Jesse


On Thu, Jan 31, 2013 at 12:55 PM, James A. Robinson
<jim.robinson at gmail.com>wrote:

> On Thu, Jan 31, 2013 at 8:22 AM, Carter Bullard <carter at qosient.com>
> wrote:
> > Hmmm, my fault, I left out the -B option.  Try adding a -B 10s, assuming
> > your argus record status time is 5-10 seconds ?
>
> I'm sorry for what may be silly question, but what does -B do?  I've worked
> through the manpages to break down your example, and I don't see -B listed
> in either ra(1) or rabins(1), is there a 3rd manpage I ought to be
> referring to?
>
> Jim
>
> Example #1:
>
> rabins -S localhost:9601 -B 10s -M time 1m -m saddr/24 daddr/24 -w - - tcp
> and port 80 | \
>
>   rasort -m trans -N 25 -s stime dur trans saddr dir daddr spkts dpkts
> sbytes dbytes
>
> rabins -- reads argus data from a source and adjust the data so that
> it is aligned into a set of bins, or slots.
>
>   -S localhost:9601 -- read from the specified remote source
>   -B 10s            -- ?record status time option of some sort?
>   -M time 1m        -- split into 1 minute bins
>   -m saddr/24       -- aggregate on source address class C network
>   -w -              -- stream output data to stdout
>   - tcp and port 80 -- only aggregate TCP packets arriving on port 80
>
> rasort -- sort argus data
>
>   -m trans -- sort by aggreation record count
>   -N 25    -- process the first 25 records
>   -s stime dur tran saddr dir daddr spkts dkpts sbytes dbytes
>            -- report output fields
>
>


-- 
Jesse Bowling
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130131/8637dcf0/attachment.html>

More information about the argus mailing list