Peter Van Epp | 1 Jun 04:28 2006
Picon
Picon

Re: monitoring round trip time

On Wed, May 31, 2006 at 10:17:43AM -0700, Michael R Meisel wrote:
> Hi Everyone,
> 
> Can anyone help me with a quick usage question? I have argus tracking 
> ICMP traffic, and I've enabled ARGUS_GENERATE_RESPONSE_TIME_DATA in my 
> argus.conf file. How can I tease out the round trip time from pings 
> using ra?
> 
> Thanks,
> Michael

	Hopefully Carter will jump in with a proper answer but I'd guess you
want the jitter field in ra (or you may need to use raxml to dump the full
records and see what you can find. I'm not sure ra will display everything):

       -s <[-][[+[#]]field ...> -
           Specify the fields to print. Ra uses a default printing field list,
           by  specifying a field you can replace this list completely, or you
           can modify the existing default print list, using the optional  '-'
           and '+[#]' form of the command.  The available fields to print are:

              startime, lasttime, count, dur, avgdur,
              saddr, daddr, proto, sport, dport, ipid,
              stos, dtos, sttl, dttl, bytes, sbytes, dbytes,
              pkts, spkts, dpkts, load, loss, rate,
              srcid, ind, mac, dir, jitter, status, user,
              win, trans, seq, vlan, mpls

           Examles are:
              -s srcaddr    print only the source address.
(Continue reading)

Carter Bullard | 1 Jun 18:26 2006

Re: monitoring round trip time

Hey Michael,
     Argus should generate a single record for each ping volley that it
sees.  With ra print out the duration field for echo traffic and that  
should
represent the roundtrip times.

     ra -S server -s +1dur - echo

If that doesn't work, holler!

Carter

>
> On May 31, 2006, at 1:17 PM, Michael R Meisel wrote:
>
>> Hi Everyone,
>>
>> Can anyone help me with a quick usage question? I have argus  
>> tracking ICMP traffic, and I've enabled  
>> ARGUS_GENERATE_RESPONSE_TIME_DATA in my argus.conf file. How can I  
>> tease out the round trip time from pings using ra?
>>
>> Thanks,
>> Michael
>>
>

Robin Gruyters | 6 Jun 14:52 2006
Picon

create monthly overview

Hi ya,

I'm looking for a way to generate a monthly overview which contains  
total bytes per protocol of each (sub)net range. (ragator, rmon,  
rsort, ... ?!)

Can anyone help me with this?
I'm also looking for a site which has collected all the "latest"  
patches for argus version 2.0.6.

Regards,

Robin Gruyters
Network and Security Engineer
Yirdis B.V.
I: http://yirdis.com
P: +31 (0)36 5300394
F: +31 (0)36 5489119

Dave Plonka | 6 Jun 17:57 2006
Picon

Re: create monthly overview


Hi Robin,

Keep in mind that I'm not even pretending to know anything about argus'
reporting tools.  My repsonse is below.  (It might be interesting to
compare methods proposed by others as follow-ups.)

On Tue, Jun 06, 2006 at 02:52:27PM +0200, Robin Gruyters wrote:
> 
> I'm looking for a way to generate a monthly overview which contains  
> total bytes per protocol of each (sub)net range. (ragator, rmon,  
> rsort, ... ?!)
> 
> Can anyone help me with this?

I can think of a couple ways to do this:

1) You could run write a perl script that uses the Cflow module to
read argus flow files and uses Net::Patricia to maintain a data
structure of subnets for fast lookups.  However, this would be more
appropriate to get the report you ask for a given flow file, or small
set.  You'd have to find some way to do the aggregation yourself,
otherwise it would take quite some time to produce the report.

   http://net.doit.wisc.edu/~plonka/Cflow/
   http://net.doit.wisc.edu/~plonka/Net-Patricia/ (also on CPAN)

There are examples of how to use Net::Patricia with Cflow in the
flowdumper documentation - which comes with the Cflow module:
   http://net.doit.wisc.edu/~plonka/Cflow/flowdumper_pod.html
(Continue reading)

Peter Moody | 6 Jun 19:41 2006
Picon

Re: create monthly overview

Hey Robin

On 6/6/06, Robin Gruyters <r.gruyters <at> yirdis.nl> wrote:
> Hi ya,
>
> I'm looking for a way to generate a monthly overview which contains
> total bytes per protocol of each (sub)net range. (ragator, rmon,
> rsort, ... ?!)

so someone else probably has better ways to do all this, but I'd run
something like:

/all/of/my/argus/logs/last/month$ cat * | ramon -r - -M HostSvc -M
Net/24 - 'port MUMBLE'

I use ragator and rasort for storing the files.  My understanding of
the argus format is that records aren't necessarily stored in
chronological order.  This seems to be a function of argus aggregating
flows.  so at the end of the day, I ragator the file(s), then rasort
based on startime and keep the resulting file.

Cheers,
-Peter

Russell Fulton | 6 Jun 20:54 2006
Picon
Picon

Re: create monthly overview


Robin Gruyters wrote:
> Hi ya,
> 
> I'm looking for a way to generate a monthly overview which contains
> total bytes per protocol of each (sub)net range. (ragator, rmon, rsort,
> ... ?!)

ragator will do this simply set up a config file that aggregates by
subnet and then run it over the months logs. (you may find it easier to
do this day by day and then combine the daily files).

Ah, there is one twist -- I think you will need make two passes, one
selecting flows where your network is source and one where it is
destination.

> 
> Can anyone help me with this?
> I'm also looking for a site which has collected all the "latest" patches
> for argus version 2.0.6.
>
The only argus repository is qosient.com. Carter is polishing 3.0 at the
moment and that will hopefully be available soon.

Russell

Carter Bullard | 6 Jun 22:44 2006

Re: create monthly overview

Hey Russell and Robin,
    Yes, in fact, I gave CMU the first copy of argus-3.0 for a sanity  
check
on Friday.   I think it passed.  I still have some work to do on the  
clients,
so hopefully this week, I'll have the first round ready.

    Russell is right, ragator() is the way to do it in argus-2.0.
Because some subnet's will have longer masks than others,
be sure and have a separate line to specify the mask length
for the subnets of interest.   If you need help, just holler.

    In argus-3.0, you will do this using racluster().  It is designed
to do most of what you want on the command line rather than
having to have a complex configuration file strategy like
ragator uses.  For racluster() you would do:

    racluster -M rmon -m proto saddr/16 - ip

this will read all the ip data, modifying the records to track single IP
addresses  (the '-M rmon') instead of flows, and to aggregate the
flows based on proto and CIDR address (when you use the 'rmon'
option, the unique address is in the saddr field).   There are many
options for racluster().

If you wanted different subnets to have different CIDR mask lengths,
you would do passes, one to aggregate on the IP address, and then
another pass to aggregate into the subnets of interest.   racluster()
supports a configuration file that allows you to have lots of  
directives.
(Continue reading)

Peter Van Epp | 7 Jun 04:59 2006
Picon
Picon

Re: create monthly overview

On Tue, Jun 06, 2006 at 02:52:27PM +0200, Robin Gruyters wrote:
> Hi ya,
> 
> I'm looking for a way to generate a monthly overview which contains  
> total bytes per protocol of each (sub)net range. (ragator, rmon,  
> rsort, ... ?!)
> 
> Can anyone help me with this?

	Two part answer :-), if you are comfortable in perl my perl scripts 
at ftp.sfu.ca /pub/unix/argus/argus.traffic.perl.tar.gz can be modified to 
do this (at present they only accumulate traffic totals by selected IPs on
a monthly basis but the tools for extracting subnets are there too). 

> I'm also looking for a site which has collected all the "latest"  
> patches for argus version 2.0.6.

	I'm slowly working on this as time permits. I made the mistake of 
putting argus on my VLANed backbone and found a bug or two in RARP processing
and some pcap related problems that break the latest Linux ring buffer code
that I'm poking at (the ra side or rarp is fixed, but there looks to be a 
problem in the server code too and that isn't, and pcap is still a mystery
although it looks to be header file related). 

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

Robin Gruyters | 7 Jun 09:02 2006
Picon

Re: create monthly overview

Thanks for the info. At this point I rather wait for argus v3.0. Can't  
wait to dive into it! ;)

Regards,

Robin Gruyters
Network and Security Engineer
Yirdis B.V.
I: http://yirdis.com
P: +31 (0)36 5300394
F: +31 (0)36 5489119

Quoting Carter Bullard <carter <at> qosient.com>:

> Hey Russell and Robin,
>    Yes, in fact, I gave CMU the first copy of argus-3.0 for a sanity check
> on Friday.   I think it passed.  I still have some work to do on the clients,
> so hopefully this week, I'll have the first round ready.
>
>    Russell is right, ragator() is the way to do it in argus-2.0.
> Because some subnet's will have longer masks than others,
> be sure and have a separate line to specify the mask length
> for the subnets of interest.   If you need help, just holler.
>
>    In argus-3.0, you will do this using racluster().  It is designed
> to do most of what you want on the command line rather than
> having to have a complex configuration file strategy like
> ragator uses.  For racluster() you would do:
>
>    racluster -M rmon -m proto saddr/16 - ip
(Continue reading)

Carter Bullard | 7 Jun 16:28 2006

argus-3.0 availability

Gentle people,
     Well, I did get the initial set of clients finished last night,  
so, as
our good european friends say, we've got a complete kit now.   I
still have to review it one more time to ensure that its scrubbed
down good (there is some intellectual property that had to be
extracted), and then I'll make an announcement on this mailing
list.   Should be tomorrow.

    The set of programs are:
       argus-3.0.0.rc.1
          argus
       argus-client-3.0.0.rc.1
          ra, radium, ratop, racluster, ragrep, ragraph,
          rasort, rasplit, rastrip, racount, rabins.

    The big difference is a modification to the record format, to
handle IPv6, 64-bit counters, and 64-bit processing.   We
are parsing more encapsulation headers, such as MPLS
and GRE.   Argus supports multiple flow models, so you can
configure it to run as a 5-tuple bidirectional probe, or a
uni-diirectional probe, or as say just an MPLS flow monitor.
I think we also do VLANs, and MAC address flow monitoring,
which just means that the flow model stops at these layers
in the stack.  This is in case you're interested in monitoring
say 10 Gbps core links, and have no interest in micro-flow
monitoring.

    New features for all the ra* programs is more filtering, and
better field printing support.   ratop() should be considered
(Continue reading)


Gmane