Detecting BitTorrent

Jesper Skou Jensen via Argus-info argus-info at lists.andrew.cmu.edu
Tue Nov 10 03:25:19 EST 2015


Hi You might want to try something like:

racluster -m saddr -M rmon -r INPUT-ARGUS-FILE -w- | rasort -m bytes -s stime saddr spkts dpkts sbytes dbytes |head -30

racluster -m daddr -M rmon -r INPUT-ARGUS-FILE -w- | rasort -m bytes -s dtime saddr spkts dpkts sbytes dbytes |head -30

And play a bit with the arguments.

The above commands shows you the 30 most active IPs on your network, sorted by bytes. That ought to point you in the right direction.

Like Harry mentioned you can also apply the -t option, to look at specific logs within a given timeframe.

Ps. You ought to have a NAT-Log for stuff like this. That way you would be able to match the sessions without having to jump through hoops...


Best regards
Jesper Skou Jensen


-----Oprindelig meddelelse-----
Fra: Argus-info [mailto:argus-info-bounces+jesper.skou.jensen=statens-it.dk at lists.andrew.cmu.edu] På vegne af Monah Baki via Argus-info
Sendt: 10. november 2015 04:44
Til: Harry Hoffman
Cc: Argus
Emne: Re: [ARGUS] Detecting BitTorrent

Hi Harry,

We are running Argus off a span port monitoring our internal core
switches, so we do see our internal IP flows.

Is there a way to just display downloads > 700MB??

Our logs are rotated on a daily basis, so we are looking at a 9GB size file

Thanks
Monah



More information about the argus mailing list