headers
Carter Bullard | 1 May 04:17

cygwin support for argus and argus-clients

Gentle people,
The code up on the server, argus-3.0.0.tar.gz and 
argus-clients-3.0.0.rc.43.tar.gz
nowcompile fine on cygwin.  If you have an interest in running argus on your
windows box, and running the client programs under cygwin, please give
these a try.  Argus has to be run as a windows service, using
the cygwin tools to install and manage the service.  The documentation
on the cygwin site should get you all the way, so to speak.

If you do try it out and have any problems at all, please
send email asap to the list!!!!!

Thanks for all the help!!

Carter
Permalink | Reply | 0 comments |
headers
real.melancon | 2 May 17:39
Picon

How to get latency of jitter graphs with ragraph

Hello list,

I would like to have latency and jitter values using ragraphs but I cannot find the proper parameters. I see
ragraph uses rabins to aggregate informations, but is it because it is not implmented yet in version 3.0 ? 

Do you have any plans to add it eventually ? 

Is there another way to get this information (e.g. by piping ra output) ?

Thanks in advance.

Real.

____________________________
Réal Melançon
Permalink | Reply | 1 comment |
headers
K K | 2 May 20:53
Picon

Filtering with netmasks?

We'd like to be able to generate a "Top 10 users of Internet
bandwidth" report for traffic exchanged between internal users and
Internet hosts.  Originally I tried this with v2, and I'm now testing
with V3.0.0.  In both cases, the host OS is OpenBSD 3.9 (soon to be
upgraded to 4.1, released yesterday).

We already have the inside-edge Cisco router sending NetFlow to Argus,
but not all the traffic crossing this router is Internet traffic, so
I'm trying to use filter expressions to report only on the relevant
traffic, like this:

ra -r /data/argus/argus.2007.05.01.16.50.01.gz -w -
  - 'host squidproxy or host socksproxy or not ( src net 205.166.42.
or 10. or 172.24. or 172.30.12. or 192.168. ) or not ( dst net
205.166.42. or 10. or 172.24. or 172.30.12. or 192.168. )' | racluster
-M rmon -m saddr -w - | rasort -m bytes load -w - | ra -N 10 -s saddr
daddr spkts dpkts sbytes dbytes load | tr -s " " | sed -e "s/
0\.0\.0\.0//"

The command above almost, but not quite, works as expected. The report
is generated, but it includes data for purely internal connections
between 172.24.5.5 and 192.168.6.6 -- sessions which I'd hope the
filter would have dropped.  IOW, the goal of the filter expression is
to only count traffic from/to the proxy gateways, or where either the
source or destination IP is external.

I believe the issue is with the PCAP style filters and I'm expecting
too much from "src net" filtering.  Is there a better way to get the
desired results when the source is NetFlow?
(Continue reading)

Permalink | Reply | 2 comments |
headers
Peter Van Epp | 2 May 21:18
Picon
Picon
Favicon
Gravatar

Re: Filtering with netmasks?

On Wed, May 02, 2007 at 01:53:12PM -0500, K K wrote:
> We'd like to be able to generate a "Top 10 users of Internet
> bandwidth" report for traffic exchanged between internal users and
> Internet hosts.  Originally I tried this with v2, and I'm now testing
> with V3.0.0.  In both cases, the host OS is OpenBSD 3.9 (soon to be
> upgraded to 4.1, released yesterday).
> 
> We already have the inside-edge Cisco router sending NetFlow to Argus,
> but not all the traffic crossing this router is Internet traffic, so
> I'm trying to use filter expressions to report only on the relevant
> traffic, like this:
> 
> ra -r /data/argus/argus.2007.05.01.16.50.01.gz -w -
>  - 'host squidproxy or host socksproxy or not ( src net 205.166.42.
> or 10. or 172.24. or 172.30.12. or 192.168. ) or not ( dst net
> 205.166.42. or 10. or 172.24. or 172.30.12. or 192.168. )' | racluster
> -M rmon -m saddr -w - | rasort -m bytes load -w - | ra -N 10 -s saddr
> daddr spkts dpkts sbytes dbytes load | tr -s " " | sed -e "s/
> 0\.0\.0\.0//"
> 

	That is likely because filter syntax has changed a bit.

ra3 -r com_argus -n \(src net 142.58.209.\)
   10:54:58.668335             man               3032      0                    22674      1   766884    40295        22674   3276032916   CON
   10:54:58.668335             man               3110      0                    22592      1   802514    38178        22592   3325167276   CON
   10:54:58.668335             man               3364      0                    

	which now needs to be:
(Continue reading)

Permalink | Reply | 1 comment |
headers
Carter Bullard | 2 May 22:01

Re: Filtering with netmasks?

The syntax changed because we need to input floating point numbers
into the filter, and parsing 10.3 as both a net address and a float 
is/was a bit
confusing for flex/bison.  Hopefully this will not be a major problem.

Carter

Peter Van Epp wrote:
> On Wed, May 02, 2007 at 01:53:12PM -0500, K K wrote:
>   
>> We'd like to be able to generate a "Top 10 users of Internet
>> bandwidth" report for traffic exchanged between internal users and
>> Internet hosts.  Originally I tried this with v2, and I'm now testing
>> with V3.0.0.  In both cases, the host OS is OpenBSD 3.9 (soon to be
>> upgraded to 4.1, released yesterday).
>>
>> We already have the inside-edge Cisco router sending NetFlow to Argus,
>> but not all the traffic crossing this router is Internet traffic, so
>> I'm trying to use filter expressions to report only on the relevant
>> traffic, like this:
>>
>> ra -r /data/argus/argus.2007.05.01.16.50.01.gz -w -
>>  - 'host squidproxy or host socksproxy or not ( src net 205.166.42.
>> or 10. or 172.24. or 172.30.12. or 192.168. ) or not ( dst net
>> 205.166.42. or 10. or 172.24. or 172.30.12. or 192.168. )' | racluster
>> -M rmon -m saddr -w - | rasort -m bytes load -w - | ra -N 10 -s saddr
>> daddr spkts dpkts sbytes dbytes load | tr -s " " | sed -e "s/
>> 0\.0\.0\.0//"
>>
>>
(Continue reading)

Permalink | Reply | 0 comments |
headers
Robin Gruyters | 3 May 08:43
Picon

Re: patch for rrdtool-1.2.19


Robin Gruyters
Network and Security Engineer
Yirdis B.V.
I: http://yirdis.com
P: +31 (0)36 5300394
F: +31 (0)36 5489119

Hi Carter,

Shouldn't this be \J? Because it is still not working for me.

[...]
ERROR: Unknown control code at the end of '  src *            \J'
[...]

Regards,

Robin Gruyters
Network and Security Engineer
Yirdis B.V.
I: http://yirdis.com
P: +31 (0)36 5300394
F: +31 (0)36 5489119

Quoting Carter Bullard <carter <at> qosient.com>:

> Gentle people,
> With regard to ragraph() and the rrdtool /J option not being supported
> in the latest rrd-tool distribution, here is the patch that can be applied to
(Continue reading)

Permalink | Reply | 3 comments |
headers
carter | 3 May 13:39

Re: How to get latency of jitter graphs with ragraph

I'm not sure what you are trying to do, so send the command you are having problems with.

If you want to test, try calling rabins with your parameters.  Rabins is the core of ragraph, so if rabins can
do it so can ragraph (generally).

Also, if ragraph can't generate your graph, you can graph the output of rabins using a dzen other tools, like excel.

Carter
Carter Bullard
QoSient LLC
150 E. 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax  

-----Original Message-----
From: real.melancon <at> videotron.ca
Date: Wed, 02 May 2007 15:39:17 
To:argus-info <at> lists.andrew.cmu.edu
Subject: [ARGUS] How to get latency of jitter graphs with ragraph

Hello list,

I would like to have latency and jitter values using ragraphs but I cannot find the proper parameters. I see
ragraph uses rabins to aggregate informations, but is it because it is not implmented yet in version 3.0 ? 

Do you have any plans to add it eventually ? 

Is there another way to get this information (e.g. by piping ra output) ?
(Continue reading)

Permalink | Reply | 0 comments |
headers
K K | 3 May 22:12
Picon

Netflow and "srcid"

Now that my netmask question has been solved (thanks!), I've noticed
that the numbers I'm getting are still considerably higher than the
accounting information recorded by the firewall.  I'm pretty sure this
is because I have one 'ra' listener collecting netflows from several
routers, including WAN and Internet routers, so some traffic is seen
and counted twice.

With native argus probes, I could use the probe id  (srcid) to
differentiate between sources, but with Netflow the field is less
useful.  Under "Ra Version 2.0.6", the field was always 0.0.0.0.  Now
that I've upgraded to "Ra Version 3.0.0.rc.43" the field is populated
with "ra" listener's IP address, so all the data from the various
Cisco is logged with the same srcid value.

Is there a need for the "srcid" field, with Netflow, to be the
listener IP of the "ra" instance?   Would it be possible to instead
populate this field with the source IP from the Netflow UDP packet, so
we could have multiple Cisco routers sending to a single listener and
yet differentiate between them in post-processing?

Thanks,

Kevin
Permalink | Reply | 4 comments |
headers
Russell Fulton | 4 May 00:38
Picon
Picon
Favicon

Re: Netflow and "srcid"

another possibility for getting higher byte counts than expected is that
some things count application bytes and others count everything.  Argus
can do both ( -A switch).

Russell

K K wrote:
> Now that my netmask question has been solved (thanks!), I've noticed
> that the numbers I'm getting are still considerably higher than the
> accounting information recorded by the firewall.  I'm pretty sure this
> is because I have one 'ra' listener collecting netflows from several
> routers, including WAN and Internet routers, so some traffic is seen
> and counted twice.
>
> With native argus probes, I could use the probe id  (srcid) to
> differentiate between sources, but with Netflow the field is less
> useful.  Under "Ra Version 2.0.6", the field was always 0.0.0.0.  Now
> that I've upgraded to "Ra Version 3.0.0.rc.43" the field is populated
> with "ra" listener's IP address, so all the data from the various
> Cisco is logged with the same srcid value.
>
> Is there a need for the "srcid" field, with Netflow, to be the
> listener IP of the "ra" instance?   Would it be possible to instead
> populate this field with the source IP from the Netflow UDP packet, so
> we could have multiple Cisco routers sending to a single listener and
> yet differentiate between them in post-processing?
>
>
> Thanks,
>
(Continue reading)

Permalink | Reply | 0 comments |
headers
carter | 4 May 01:36

Re: Netflow and "srcid"

Yes, that should be pretty easy, depending on how you are send the netflow records.  Are they all going to the
same daddr and port?  If so we'll have to get/use the src address as the srcid, or we'd have to have a
translation table to look up the srcid.

Any suggestions how you would want to configure this?

Carter


Carter Bullard
QoSient LLC
150 E. 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax  

-----Original Message-----
From: "K K" <kkadow <at> gmail.com>
Date: Thu, 3 May 2007 15:12:41 
To:argus-info <at> lists.andrew.cmu.edu
Subject: [ARGUS] Netflow and "srcid"

Now that my netmask question has been solved (thanks!), I've noticed
that the numbers I'm getting are still considerably higher than the
accounting information recorded by the firewall.  I'm pretty sure this
is because I have one 'ra' listener collecting netflows from several
routers, including WAN and Internet routers, so some traffic is seen
and counted twice.

With native argus probes, I could use the probe id  (srcid) to
(Continue reading)

Permalink | Reply | 2 comments |

Gmane