[netsa-tools-discuss] Point in Time Data in Silk

Chris Inacio inacio at cert.org
Tue Dec 1 21:49:50 EST 2015 


> On Dec 1, 2015, at 8:55 PM, Drew Morrigan <drewm at landesa.org> wrote:
> 
> 
> “Instantaneous peak bandwidth” is a brilliantly succinct way to say what I took a few paragraphs to illustrate.  So thank you for that phrase, if nothing else!
>  
> While Prism sounds pretty close to what I am looking for, my servers are CLI only.  Is it possible to run it in such an environment, and perhaps export the results so that they can be viewed graphically on another computer?
>  
> I’ll also poke about with the other tools you suggested.  Thank you for those, as well.
>  
> 
> 
> Drew Morrigan | drewm at landesa.org
> Systems Admin / Support Specialist
> 
> Landesa
> 1424 Fourth Ave., Suite 300, Seattle, WA  98101
> T: 206-257-6158 | F: 206-528-5881
> Skype: drewm_landesa
> 
> www.landesa.org
> 
> Recipient of the 2015 Hilton Humanitarian Award
> 


I honestly don’t know that much about the backend implementations of FlowBat or FlowViewer - so I won’t particularly theorize about if they can run CLI only.  I will note that both of them are web UI based front ends to SiLK.

Prism can run without a display.  In this case, the key thing would be the summary data that would get stored in the database.  I wouldn’t get too gung ho yet though.  I’ll make sure some folks take a look at this thread and can give you the real relevant details on this.

Hopefully the FlowBat and FlowViewer folks will jump in as well.


regards,
--
Chris Inacio
inacio at cert.org



> From: Chris Inacio [mailto:inacio at cert.org] 
> Sent: Tuesday, December 1, 2015 5:46 PM
> To: Drew Morrigan
> Cc: netsa-tools-discuss at cert.org
> Subject: Re: [netsa-tools-discuss] Point in Time Data in Silk
>  
> Drew,
>  
> First, let me make the disclaimer that this isn't exactly my area of expertise.
>  
> Let me point you at a script we have on our site: prism. Prism will create a database with traffic time series data and allow for plots of that information to be created from the database as time series trend lines. You can define the bin types (in web, in, http, etc.) as you like. Using the stored prism data would greatly speed your search. (At the cost of disk space, of course.  :) but you can get nice plots too.)
>  
> Http://tools.netsa.cert.org/script-prism/
>  
> Although I got the impression you don't want something like prism. (I'm willing to bet tools like flowviewer and flowbat also have very similar features.) 
> 
> http://sourceforge.net/p/flowviewer/wiki/Home/
> Http://flowbat.com
>  
> When I first read this, I thought you were searching for your TopTalker, but after rereading I'm second guessing and wondering if what you really want is instantaneous peak bandwidth. Those would obviously be very different things. 
>  
> Maybe you can answer that and an analyst will respond with better search foo than I have. 
>  
> Regards,
> --
> Chris Inacio
> Inacio at cert.org
>  
>  
> Sent from my iPad
> 
> On Dec 1, 2015, at 6:33 PM, Drew Morrigan <drewm at landesa.org> wrote:
> 
> Greetings,
>  
>   I am using Silk 3.11 on Ubuntu Server 14.04.  I have it happily collecting data from our FWs and am currently fumbling around with the analysis tools.  I’ve been able to get some cool/useful information from those fumblings, but there is something I need I haven’t been able to put together easily on my own.
>  
>   Due to some changes to our environment, we will soon be making more use out of our ISP’s upload bandwidth than we have been.  We want to know how much outgoing traffic we are currently transmitting, but from a ‘snapshot’ perspective, not the total amount used.  To hopefully clarify things, here’s what I’m doing currently:
>  
> rwfilter --start-date=2015/10/28T00 --end-date=2015/11/30T18 --type=out,outweb --sensors=S2 --saddress=10.0.0.0/24 --pass=stdout | rwcount --bin-size=86400 --skip-zeroes
>  
> As I’ve come to understand things, this would give me the total data transmitted for each 24-hour period over the specified range.  I’d then drill down into those periods and determine which hours had the highest transmissions, and keep going until I reach –bin-size=1.  That would be my ‘snapshot’ upload bandwidth usage (less compression, WAN optimization, etc., of course).
>  
> This is, suffice to say, not an efficient process, especially since collectors are running at more than one office location.  How else could I be going about this?
> 
> 
> Drew Morrigan | drewm at landesa.org
> Systems Admin / Support Specialist
> 
> Landesa
> 1424 Fourth Ave., Suite 300, Seattle, WA  98101
> T: 206-257-6158 | F: 206-528-5881
> Skype: drewm_landesa
> 
> www.landesa.org
> 
> Recipient of the 2015 Hilton Humanitarian Award
>

More information about the netsa-tools-discuss mailing list