Argus Development mailing list - Real Time Flow Monitor (RTFM) for comprehensive IP network traffic auditing

Carter Bullard | 1 Jun 2003 20:17

RE: filter expressions and flows

Hey Jose,
   Sorry for the delay in responding!  The filters do
have a personality of their own, but the rules are pretty
simple.  Since the starting base for the filter compiler
was tcpdump, there are a lot of similarities, but the
ra* programs have a different abstraction to work with,
so there are some real differences.

   The filter expression "host x.y.z.w" implies "ip host
x.y.z.w", that is why "arp and host x.y.z.w" is going to
give you an expression error.  But "arp host x.y.z.w"
is stating that you want the host value returned in an
arp request, so the and is ok!

   The filter wants to fill in the blanks, if any are
left out, such as "host x.y.z.w".  What kind of host?
protocol? version?  Without this info, it has to fill
in the blanks.  Now the error "ip proto tcp" comes from
the fact that "tcp" generates "ip proto tcp" in the
lexical analyzer, which then generates "ip proto ip proto
tcp".  This should be fixed, but since tcpdump generates
the same error here, suggests that there is a fundamental
problem with the compiler strategy.  But I'll look into
it.

You ask,

> It seems that using the host particle alone is the same as 
> "ip host" and
> again this is different from tcpdump.

(Continue reading)

Andrew Pollock | 5 Jun 2003 03:40

Picon

Me and my usual questions

Hi,

I'm the never ending purgatory that is my life, I'm trying to make Argus 
produce consistently sensible data, and as usual, failing miserably.

I'm going to go back to square one:

We have a network topology like this:

              LB        LB
               |         |
            +--------------+
            |              |
Argus ------| Switch       |
            |              |
            +--------------+
             | | | | | | | 
             |     |   |
           Client  | Client  
               Client

We have a switch, to which two load balancers are attached (one being 
active at any point in time) and we have our clients connected to the 
switch as well. Argus is running on a server plugged into a port on the 
switch that spans the two ports that the load balancers are plugged into.

Each client has a /24 of their own, with the exception of a couple of 
clients that have a single /32

Today's focus is one of the clients that have just a /32

(Continue reading)

Carter Bullard | 5 Jun 2003 17:21

RE: Me and my usual questions

Hey Andrew,
   So how do they differ?  are the totals the same
but the src and dst counters mixed, or is one low?
They should all count the same total pkts and bytes.

Carter

> -----Original Message-----
> From: owner-argus-info <at> lists.andrew.cmu.edu 
> [mailto:owner-argus-info <at> lists.andrew.cmu.edu] On Behalf Of 
> Andrew Pollock
> Sent: Wednesday, June 04, 2003 9:40 PM
> To: argus-info <at> lists.andrew.cmu.edu
> Subject: Me and my usual questions
> 
> 
> Hi,
> 
> I'm the never ending purgatory that is my life, I'm trying to 
> make Argus 
> produce consistently sensible data, and as usual, failing miserably.
> 
> I'm going to go back to square one:
> 
> We have a network topology like this:
> 
>               LB        LB
>                |         |
>             +--------------+
>             |              |

(Continue reading)

Carter Bullard | 5 Jun 2003 17:23

RE: Me and my usual questions

Andrew,
   Svc only counts udp and tcp traffic, as you have
to have a port to do the svc counting.  Try your ramon
calls with the "tcp or udp" filter to verify.

Carter

> -----Original Message-----
> From: owner-argus-info <at> lists.andrew.cmu.edu 
> [mailto:owner-argus-info <at> lists.andrew.cmu.edu] On Behalf Of 
> Andrew Pollock
> Sent: Wednesday, June 04, 2003 9:40 PM
> To: argus-info <at> lists.andrew.cmu.edu
> Subject: Me and my usual questions
> 
> 
> Hi,
> 
> I'm the never ending purgatory that is my life, I'm trying to 
> make Argus 
> produce consistently sensible data, and as usual, failing miserably.
> 
> I'm going to go back to square one:
> 
> We have a network topology like this:
> 
>               LB        LB
>                |         |
>             +--------------+
>             |              |

(Continue reading)

Andrew Pollock | 6 Jun 2003 11:04

Picon

Re: Me and my usual questions

On Thu, Jun 05, 2003 at 11:23:08AM -0400, Carter Bullard wrote:
> Andrew,
>    Svc only counts udp and tcp traffic, as you have
> to have a port to do the svc counting.  Try your ramon
> calls with the "tcp or udp" filter to verify.

Carter,

If you look at the original message I am using "tcp or udp and host blah". 
Is this correct, or do I need to use some parenthesis?

Andrew

Russell Fulton | 6 Jun 2003 11:44

Picon

Picon

Re: Me and my usual questions

On Fri, 2003-06-06 at 21:04, Andrew Pollock wrote:
> On Thu, Jun 05, 2003 at 11:23:08AM -0400, Carter Bullard wrote:
> > Andrew,
> >    Svc only counts udp and tcp traffic, as you have
> > to have a port to do the svc counting.  Try your ramon
> > calls with the "tcp or udp" filter to verify.
> 
> Carter,
> 
> If you look at the original message I am using "tcp or udp and host blah". 
> Is this correct, or do I need to use some parenthesis?

MY golden rule if in doubt use parenthesis!  Most boolean
implementations have and binding tighter than or so the above is
probably tcp or (udp and host blah)

--

-- 
Russell Fulton, Network Security Officer, The University of Auckland,
New Zealand.

Carter Bullard | 6 Jun 2003 14:59

RE: Me and my usual questions

Hey Andrew,
  But the totals are the same?  This is probably due to
the way that src and dst are assigned in the various
tools.  The ramon tools are answering the unique
question, "what metrics apply to this interface", which
has a different concept of source and destination than
what a flow represents.

   With the "ragator | ragator | rasort | ra" you still
have the concept that the source is the first sender.  So
when conversations are originated from an external
network to your host, the packets they send will be counted
in the same counter as the packets sent by your host when 
it initiates the conversation.  Seems confusing, but the
differentiation allows for very powerful accountability.

   In order to validate this, run your "rag | rag | ras | ra"
twice, one with filter, "and src host 10.11.2.243" and then
again with "and dst host 10.11.2.243" and see how these
counters compare.  You should find out if this is where
the discrepancies lie.

Carter

   I 

> -----Original Message-----
> From: Andrew Pollock [mailto:andrew-argus <at> andrew.net.au] 
> Sent: Friday, June 06, 2003 5:02 AM
> To: Carter Bullard

(Continue reading)

Mahlon E. Smith | 7 Jun 2003 08:04

Picon

Recommendations for monthly totals?


Hi everyone.

I'm new to argus, and new to the list.  I'm trying to get an automated
monthly report generated, that gives traffic accounting totals in
GB on a per IP basis.  Essentially, your run of the mill hosting
setup that needs to know when customers go over their alloted bandwidth.

I'm currently using the 'argusarchive' script to organize saved data files,
and running a cronned perl script once a month that pulls the totals for
the previous month, parses the goods, and sends the totals out.  It works
just fine - with the exception of one thing.  It takes a really, really
long time to run.  This isn't a slow machine that is doing the processing,
but doing 50 IP addresses takes almost 2 hours.  Where as that isn't
completely unacceptable, I can see that isn't going to scale in the long
run.

Here's what the perl script calls for each IP:
% racount -r .../argus/archive/YEAR/MONTH/*/*.bz2 - host IPADDRESS

The only other way I can think to do this is to write a separate daemon
that opens a pipe to an 'ra -c' client, and keeps it's own totals in dbm files
or somesuch... but I'd like to avoid that if there is a better way.

How are others doing this?

Thanks for any tips provided!

-Mahlon

(Continue reading)

Mahlon E. Smith | 9 Jun 2003 07:11

Picon

Re: Recommendations for monthly totals?

On Sat, 2003-06-07 at 06:04, Mahlon E. Smith wrote: 
> The only other way I can think to do this is to write a separate daemon
> that opens a pipe to an 'ra -c' client, and keeps it's own totals in dbm files
> or somesuch... but I'd like to avoid that if there is a better way.
> 
> How are others doing this?

It was suggested to me by Neil Long to simply take samples daily, tally
them to a separate file, and just poll that file at the end of the
month.  

I went ahead and implemented this - based on speed info gleaned from how
long it takes my current IPs in use - a full class C would take about 18
minutes of processing power per night.  The monthly report is
instantaneous.   This is much, much better than the almost 8 hours it
would have taken to generate a monthly report in my original
implementation.  :)

I'd still be interested to hear some other real world examples of how
others are doing this sort of thing - I'm sure this is one of those
instances where there is more than one good way to do it.

-Mahlon

Mahlon E. Smith                        jabber id: mahlon <at> chat.martini.nu
http://www.martini.nu/               get pgp key:  mahlon-pgp <at> martini.nu
........................................................................
  See the Stinkymeat; Oh sickening putrid mass; You are what you eat.
- Bob Noble

(Continue reading)

Andrew Pollock | 11 Jun 2003 03:13

Picon

Re: Me and my usual questions

Hi Carter,

to summarise, I've got the following:

[1] ramon -w - -M TopN -r 2003-05-03 - host 10.11.2.243 | racount
[2] ragator -w - -r 2003-05-03 - \(tcp or udp\) and host 10.11.2.243 | 
ragator -f /usr/local/etc/dport.conf -w - | rasort -M bytes -w - | ra -s 
dport pkts bytes

[3] ra -r 2003-05-03 -w - - host 10.11.2.243 | ramon -M Svc -r -

I have been using [1] to arrive at my totals

I'm now trying to break down the total arrived at by [1], and I've tried 
[2] and [3]

If I add up the output of [2] or [3], it doesn't match the output of [1]
Even when I add both directions together, I come up with a total that's 
slightly less than the total bytes in [1]. It happens that the totals from 
the output of [2] and [3] match exactly.

If I play with [2] and add "src host blah" or "dst host blah" to the 
filter, I obviously get different results. I'm not sure what I was 
supposed to figure out from doing that.

Andrew

On Fri, Jun 06, 2003 at 08:59:59AM -0400, Carter Bullard wrote:
> Hey Andrew,
>   But the totals are the same?  This is probably due to

(Continue reading)

Group

gmane.network.argus.

Advertisement

Project Web Page

Argus Development mailing list - Real Time Flow Monitor (RTFM) for comprehensive IP network traffic auditing

Search Archive

Page

1 | 2 | 3 | 4

Articles in period: 34

June 2003

Language

Change language

Options

Current view: Threads only / Showing only 20 lines / Not hiding cited text.
Change to All messages, whole messages, or hide cited text.

Post a message
NNTP Newsgroup
Classic Gmane web interface
XML

XML

RSS Feed
List Information

About Gmane

Recent entries

Netflow - Direction field in argus? (13 Jun 2013)
Time window issue (13 Jun 2013)
Netflow - Direction field in argus? (13 Jun 2013)
Time window issue (12 Jun 2013)
Argus 3.0.7.2 vs. 3.0.6.1 (11 Jun 2013)
Shutdown for rasqlinsert (11 Jun 2013)
Rewrite of rastream (10 Jun 2013)
The direction field (10 Jun 2013)
Rewrite of rastream (10 Jun 2013)
ra* segfault with zero width column size (10 Jun 2013)
ABRatio question (6 Jun 2013)
Spurious web server traffic (3 Jun 2013)
racluster.conf problems (3 Jun 2013)
rasql, rasqlinsert, rasqltimeindex (29 May 2013)
Argus 3.0.2/3.0.6.1 segfaults (28 May 2013)
Updating my argus settup... (27 May 2013)
argus-clients-3.0.7.10 on the dev server (21 May 2013)
Rastream doesn't rotate properly when daemonied? (20 May 2013)
Ra - filter syntax error (20 May 2013)
Anomaly detection (16 May 2013)
raservices crashes when processing (15 May 2013)

Archives

63	June 2013
113	May 2013
38	April 2013
75	March 2013
50	February 2013
113	January 2013
42	December 2012
49	November 2012
155	October 2012
63	September 2012
50	August 2012
30	July 2012
122	June 2012
22	May 2012
37	April 2012
53	March 2012
58	February 2012
91	January 2012
52	December 2011
17	November 2011
30	October 2011
15	September 2011
39	August 2011
49	July 2011
61	June 2011
66	May 2011
82	April 2011
48	March 2011
52	February 2011
27	January 2011
42	December 2010
35	November 2010
72	October 2010
78	September 2010
48	August 2010
102	July 2010
50	June 2010
23	May 2010
61	April 2010
40	March 2010
50	February 2010
26	January 2010
32	December 2009
72	November 2009
48	October 2009
55	September 2009
115	August 2009
66	July 2009
36	June 2009
92	May 2009
122	April 2009
116	March 2009
58	February 2009
26	January 2009
15	December 2008
3	November 2008
3	October 2008
24	September 2008
38	August 2008
50	July 2008
62	June 2008
6	May 2008
61	April 2008
90	March 2008
151	February 2008
121	January 2008
67	December 2007
61	November 2007
120	October 2007
107	September 2007
143	August 2007
44	July 2007
91	June 2007
68	May 2007
82	April 2007
141	March 2007
123	February 2007
69	January 2007
50	December 2006
79	November 2006
113	October 2006
114	September 2006
131	August 2006
96	July 2006
270	June 2006
4	May 2006
4	April 2006
40	March 2006
31	February 2006
24	January 2006
14	December 2005
2	November 2005
1	October 2005
8	September 2005
25	August 2005
1	July 2005
14	June 2005
5	May 2005
25	April 2005
24	March 2005
33	February 2005
12	January 2005
41	December 2004
33	November 2004
35	October 2004
48	September 2004
95	August 2004
45	July 2004
79	June 2004
87	May 2004
84	April 2004
17	March 2004
62	February 2004
14	January 2004
28	December 2003
14	November 2003
15	October 2003
38	September 2003
60	August 2003
28	July 2003
31	June 2003
48	May 2003
24	April 2003
39	March 2003
18	February 2003
29	January 2003
26	December 2002
41	November 2002
47	October 2002
18	September 2002
14	August 2002
23	July 2002
20	June 2002
92	May 2002
29	April 2002
56	March 2002
47	February 2002
33	January 2002
18	December 2001
91	November 2001
58	October 2001
49	September 2001
15	August 2001
49	July 2001
109	June 2001
52	May 2001
39	April 2001
99	March 2001
134	February 2001
123	January 2001
26	December 2000
59	November 2000
72	October 2000
143	September 2000
44	August 2000
81	July 2000
20	June 2000
12	May 2000
11	April 2000
63	March 2000
22	February 2000
8	January 2000
1	December 1999
6	October 1999
15	September 1999
3	August 1999
9	July 1999
12	June 1999
7	May 1999
16	April 1999
28	March 1999
9	February 1999

Design

Zawodny | Right Menu | Left Menu

Your Own Design

Paste the URL of your CSS below. Download CSS template