ratop to display foreign countries
Carter Bullard
carter at qosient.com
Sun Oct 26 11:44:34 EDT 2014
Hey Monah,
Once you get all of that going, you can do quite a bit with country codes.
You can aggregate on them, so that you are watching countries instead
of IP addresses. You can sort on them, which will be an alphabetic sort,
you can print them, of course, filter them on input, display and output,
and if you have color support turned on for ratop, you can have different
colors of rows, based on country code.
Aggregation involves specifying the aggregation model using the “-m”
option on the command line, or the “:m” option in ratop. Sorting is specified
in the .rarc file using RA_SORT_ALGORITHMS, or using the “:P” option in
ratop. Print the country codes using RA_FIELD_SPECIFIER, or the “-s”
option on the command line, or “:s” in ratop.
For color support, things like this work:
In you .rarc file:
RA_COLOR_SUPPORT="yes"
RA_COLOR_CONFIG=/Users/carter/.racolor.conf
And in the .racolor.conf file:
filter=“src co us" color=“saddr:BLUE" cont
filter="dst co us" color="daddr:BLUE" cont
filter=“src co cn" color=“saddr:RED+DIM" cont
filter="dst co cn" color="daddr:RED+DIM" cont
If any of this is interesting, and you need assistance, send email !!!
Carter
> On Oct 24, 2014, at 11:06 PM, David Edelman <dedelman at iname.com> wrote:
>
> Monah,
>
> In addition to the information that Carter provided, if you want to display only those flows that have a source or destination of a specific set of countries then you can filter for those country codes using co as the filter. In my case I use radium to do the labeling and it uses port 561 to feed its output to clients who specify –S localhost:561 to read that labeled flow information. I can then use
>
> ratop -S localhost 561 – co CN or RU or US
>
> Which will limit the display to only those flows where one or both of the peers have a country code (co) of China, Russia, or the United States. I can specify src co or dst co to specify flows where the source or the destination of the flow is a specific country or set of countries. As with the other filter expressions you can use negation - not co US will show flows where neither peer in registered in the US
> The country codes are the ISO two character codes and Wikipedia has them all listed http://en.wikipedia.org/wiki/ISO_3166-1_alpha-2 Please note that the filter must be specified after all of the other command line arguments and that the syntax is <space> -<space> filter expression where the isolated – indicates the end of the command line arguments and the start of the filter.
>
> —Dave
>
> From: Monah Baki <monahbaki at gmail.com>
> Date: Friday, October 24, 2014 at 12:51 PM
> To: Argus <argus-info at lists.andrew.cmu.edu>
> Subject: [ARGUS] ratop to display foreign countries
>
> Hi all,
>
> Is there a way in ratop to display only certain countries (China, Russia etc)
>
>
> Thanks
> Monah
More information about the argus
mailing list