[ARGUS] Count flows
Carter Bullard
carter at qosient.com
Fri May 1 14:29:01 EDT 2020
Hey Patrick,
OK !!!! You will want to use racluster.1 to aggregate records based on transport protocol port numbers, regardless of direction.
racluster -M rmon -m proto sport -r argus.flow.file -w - - ip | rasort -Xm trans -s proto:12 sport trans
The trick is to use the “-M rmon” mode, this is a weird option, but since we are interested in a flow attribute without direction, we need to modify the records to have 1-tuple flows.
OK, “-M rmon” gets rid of direction and puts our flow key object in the source objects, so we’ll aggregate on the protocol and source port. Thats all you need to do.
Now, use the -X option to get rid of .rarc features of the ra* programs, and sort on the “trans" field, this field is the aggregation count (how many records were used to create this flow).
Voila !!!
But wait … there’s more … if your argus.flow.file is the result of an aggregation, you will need to get rid of the aggregation counters before you run racluster.1, or you will get double counting … so strip out the ‘agr’ dsr.
racluster -M rmon dsrs=“-agr” -m proto sport -r argus.flow.file -w - - ip | rasort -Xm trans -s proto:12 sport trans
And then, if you are interested in flow counts, not flow record counts (since argus can have multiple records per flow) you will want to aggregate your argus.flow.file before you begin :
racluster -r argus.flow.file -w - - ip | racluster -XM rmon dsrs=“-agr” -m proto sport -w - | rasort -Xm trans -s proto:12 sport trans
And finally, since ports are mostly relevant for udp and tcp traffic, you may want to replace the “- ip” filter with “- udp or tcp”.
racluster -r argus.flow.file -w - - udp or tcp | racluster -XM rmon -M dsrs="-agr" -m proto sport -w - | rasort -Xm trans -s proto sport trans
There you go ...
Carter
<http://qosient.com/>
Carter Bullard <mailto:carter at qosient.com>• Founder / CEO
150 E 57th Street, Suite 12D
New York, New York 10022-2795
Phone +1.212.588.9133 • Mobile +1.917.497.9494
> On May 1, 2020, at 1:52 PM, Patrick Forsberg <fors at chalmers.se> wrote:
>
> Hi,
>
> I would like to be able to easily find out which ip or port generates
> the largest number of flows.
> It's easy enought to get this for packets or bytes, but I haven't found
> how to do it for flows.
>
> The following gives me a nice list of the src ports genereating the most
> traffic packet wise, but not flow wise.
> racluster -M rmon -m proto sport -r somefile.ra -w - | rasort -m pkts -r -
>
> Regards,
>
> Patrick Forsberg
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20200501/c98e87bb/attachment.html>
More information about the argus
mailing list