Tuesday, January 29, 2008

Argus 3: Statistics for Major Protocols

Most people would like to have macro view of the network, for example how many bytes have been utilized for protocol such as tcp, udp and icmp, or other things like the amount of packets that have been transmitted or received.

Previously in argus 2.x, argus offers racount -ar to generate the general statistics but the option -a is gone in argus 3.x, so how can you generate the network utilization for major protocols? I have shown the usage of racluster previously here for network session reconstruction and now I will demonstrate another example of using racluster.

Before I move on, I would like to rephrase racluster's functions from the man page -

Racluster reads argus data from an argus-data source, and clusters/merges the records based on the flow key criteria specified either on the command line, or in a racluster configuration file, and outputs a valid argus-stream. This tool is primarily used for data mining, data management and report generation.

Here you go, you can cluster or merge the records based on the flow key and it is suitable for data mining, data management and report generation, let's generate the statistical report using protocol as flow key. Notice I specify -m proto in command line below and using -s to print the field I want -

shell>racluster -L0 -m proto -r data.arg3 -s proto trans pkts bytes appbytes -\
tcp or udp or icmp
Proto Trans TotPkts TotBytes TotAppByte
udp 18115 72665 8488022 5430758
tcp 22996 1291078 969152661 895531494
icmp 1089 1933 424733 346837

This is something simple from racluster but you maybe scratching your head to figure how to do it when you are still new with argus 3(in fact I did), it is considered one of the most powerful tool in argus 3 client suite and maybe sooner, I will talk more about it. Hopefully you find it helpful(hint, hint).

Enjoy (;])

1 comment:

Anonymous said...

Thank you very much for these posts, they're useful as I try to teach myself how to wrangle argus. Keep it up, please. :)