rabins, ragraph and aggregation of protocols

Carter Bullard carter at qosient.com
Tue Feb 11 12:47:14 EST 2014 

Hey Jesper,
rabins() is a generic argus data aggregator, so it can be configured with
a racluster() configuration file, using the -f option.  When using the -f
option, it should override any “-m fields” command line option you may be
using, but better to not use the “-m fields” and the “-f racluster.conf”
option to remove any confusion.

With this as an example racluster.conf, and you can get away with just
graphing the ip traffic, you should be able to get what you want:

filter="tcp"    model="srcid proto"  status=0   idle=0
filter="udp"    model="srcid proto"  status=0   idle=0
filter=""       model="srcid "       status=0   idle=0

With this you can use ragraph to graph the “ proto " object, and
you’ll get tcp, udp and ip for the graph.

   ragraph sbytes dbytes proto -M time 1d -f racluster.conf …… - ip


If instead, you need the non-ip traffic to be included in your aggregate,
then you can use this type of racluster.conf file:

filter="tcp"    model="srcid proto"  status=0   idle=0 label="tcp"   
filter="udp"    model="srcid proto"  status=0   idle=0 label="udp"   
filter=""       model="srcid "       status=0   idle=0 label=“misc”

When using this approach, if you are using labels as a part of your
collection infrastructure, be sure and add a “ -M dsrs=“-label” “ to
your rabins() call, so that your output only has the single named labels.

Now graph the label as the object.  This may require an update to ragraph(), so try
the one I’ve included below.  Should work fine, but if you have any problems,
don’t hesitate.

   ragraph sbytes dbytes label -M time 1d dsrs=“-label” -f racluster.conf ….


Carter

-------------- next part --------------
A non-text attachment was scrubbed...
Name: ragraph.pl
Type: text/x-perl-script
Size: 63517 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140211/b202ec9b/attachment.bin>
-------------- next part --------------


On Feb 11, 2014, at 9:24 AM, Jesper Skou Jensen <jesper.skou.jensen at uni-c.dk> wrote:

> Hi guys,
> 
> I'm using rabins and ragraph to create some nice PNG graphs and I would like to be able to show only specific protols and aggregate the rest into one.
> 
> At the moment I use "rabins proto pkts -M 1s -r input.ra -w output.rabins" to creatate rabins files every time I rotate my files and then later on I trawl those rabins files with ragraph and create the PNG graphs.
> 
> The .rabins files contain tcp, udp, esp, icmp, llc and various other protocols and when I create the PNG graphs they are shown in various colors.
> 
> I would like to keep tcp, udp and aggregate the rest into a combined misc bin. Is that possible? As in to show tcp as green, udp as blue and misc as grey, or something like that.
> 
> 
> --
> Regards
> Jesper
> 




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140211/b202ec9b/attachment.sig>

More information about the argus mailing list