grouping incoming http requests by subnet?

Carter Bullard carter at qosient.com
Thu Jan 31 13:48:02 EST 2013 

Hey Jim,
The -B option specifies a time buffer for time aligning input records.
In this case, its telling rabins() that after however many seconds, you can assume no more input is coming for that time range.  So it shouldn't have to wait for EOF before processing the bin'ed caches.

Its a way of telling rabins() that the input stream is somewhat sorted.

Without the -B, rabins() just aligns the input records to the bin structures, processes the input (default is to aggregate) and holds the bin structures in memory, until the input is finished, and It can jst belch out its caches.  

With the -B option, your telling rabins() that the data is quasi sorted, and that the longest period of ' out of order ' is so many seconds.  Rabins() knows then, that, it can process and shift a given time bin out of memory, because that bins input is done.

Is that helpful ?

Carter

On Jan 31, 2013, at 12:55 PM, "James A. Robinson" <jim.robinson at gmail.com> wrote:

> On Thu, Jan 31, 2013 at 8:22 AM, Carter Bullard <carter at qosient.com> wrote:
> > Hmmm, my fault, I left out the -B option.  Try adding a -B 10s, assuming
> > your argus record status time is 5-10 seconds ?
> 
> I'm sorry for what may be silly question, but what does -B do?  I've worked
> through the manpages to break down your example, and I don't see -B listed
> in either ra(1) or rabins(1), is there a 3rd manpage I ought to be referring to?
> 
> Jim
> 
> Example #1:
> 
> rabins -S localhost:9601 -B 10s -M time 1m -m saddr/24 daddr/24 -w - - tcp and port 80 | \
>   rasort -m trans -N 25 -s stime dur trans saddr dir daddr spkts dpkts sbytes dbytes
> 
> rabins -- reads argus data from a source and adjust the data so that
> it is aligned into a set of bins, or slots.
> 
>   -S localhost:9601 -- read from the specified remote source
>   -B 10s            -- ?record status time option of some sort?
>   -M time 1m        -- split into 1 minute bins
>   -m saddr/24       -- aggregate on source address class C network
>   -w -              -- stream output data to stdout
>   - tcp and port 80 -- only aggregate TCP packets arriving on port 80
> 
> rasort -- sort argus data
> 
>   -m trans -- sort by aggreation record count
>   -N 25    -- process the first 25 records
>   -s stime dur tran saddr dir daddr spkts dkpts sbytes dbytes
>            -- report output fields
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130131/443c98e5/attachment.html>

More information about the argus mailing list