Jesper Skou Jensen via Argus-info
argus-info at lists.andrew.cmu.edu
Tue Nov 10 03:25:19 EST 2015
Hi You might want to try something like:
racluster -m saddr -M rmon -r INPUT-ARGUS-FILE -w- | rasort -m bytes -s stime saddr spkts dpkts sbytes dbytes |head -30
racluster -m daddr -M rmon -r INPUT-ARGUS-FILE -w- | rasort -m bytes -s dtime saddr spkts dpkts sbytes dbytes |head -30
And play a bit with the arguments.
The above commands shows you the 30 most active IPs on your network, sorted by bytes. That ought to point you in the right direction.
Like Harry mentioned you can also apply the -t option, to look at specific logs within a given timeframe.
Ps. You ought to have a NAT-Log for stuff like this. That way you would be able to match the sessions without having to jump through hoops...
Jesper Skou Jensen
Fra: Argus-info [mailto:argus-info-bounces+jesper.skou.jensen=statens-it.dk at lists.andrew.cmu.edu] På vegne af Monah Baki via Argus-info
Sendt: 10. november 2015 04:44
Til: Harry Hoffman
Emne: Re: [ARGUS] Detecting BitTorrent
We are running Argus off a span port monitoring our internal core
switches, so we do see our internal IP flows.
Is there a way to just display downloads > 700MB??
Our logs are rotated on a daily basis, so we are looking at a 9GB size file
More information about the argus