This article made a brief summary for the usage of some Argus tools: ra, racount, racluster, rabins & resort, based on past experience. For more detailed documentation, please refer to http://qosient.com/argus/manuals.shtml
1. List traffic records under certain filtering condition
ra -r filename.arg - tcp //list all TCP records
2. Display records statistics
racount -r filename.arg - udp port domain //display record/packet/byte counts with DNS filtering
3. Process traffic data into structured ‘bins’ (usually time bins)
rabins -r filename.arg -M time 1h -m srcid -s load //align data into hourly bins, aggregates on srcid and display load (bps) for each hourly aggregation
4. Aggregate traffic data and sort (For example, find out what IP address is receiving the most traffic)
racluster -r filename.arg -m daddr -w - | rasort -r - -m sbytes -s daddr sbytes //use racluster tool to aggregate the records by destination address then pass the aggregated output to rasort tool to sort on the source to destination transaction bytes in descending order
No comments:
Post a Comment