[netsa-tools-discuss] Point in Time Data in Silk

Timur D. Snoke tdsnoke at cert.org
Wed Dec 2 08:00:35 EST 2015 

Drew,

 

I am including an example of the graphic output of Prism for your frame of reference. The different strip plots are defined as bins that the tool parses the flow data in and can be configured however you want. I wanted you to see that it does produce a peak for each bin and scales the graphic for the magnitude of the volume being presented.

 

Also Prism can store the data as flat files/csvs  so if you want to manipulate the data elsewhere to find other info you can. In the past I have defined all the bins I care about and run Prism as a cron job daily for the previous days data.

 

I hope this helps.

 

Timur Snoke

 

From: netsa-tools-discuss-bounces+tdsnoke=cert.org at cert.org [mailto:netsa-tools-discuss-bounces+tdsnoke=cert.org at cert.org] On Behalf Of Drew Morrigan
Sent: Tuesday, December 01, 2015 8:56 PM
To: Chris Inacio <inacio at cert.org>
Cc: netsa-tools-discuss at cert.org
Subject: Re: [netsa-tools-discuss] Point in Time Data in Silk

 

“Instantaneous peak bandwidth” is a brilliantly succinct way to say what I took a few paragraphs to illustrate.  So thank you for that phrase, if nothing else!

 

While Prism sounds pretty close to what I am looking for, my servers are CLI only.  Is it possible to run it in such an environment, and perhaps export the results so that they can be viewed graphically on another computer?

 

I’ll also poke about with the other tools you suggested.  Thank you for those, as well.

 



Drew Morrigan |  <mailto:drewm at landesa.org> drewm at landesa.org
Systems Admin / Support Specialist


Landesa


1424 Fourth Ave., Suite 300, Seattle, WA  98101


T: 206-257-6158 | F: 206-528-5881


Skype: drewm_landesa


 <http://www.landesa.org> www.landesa.org

Recipient of the  <http://www.landesa.org/news/landesa-awarded-the-hilton-humanitarian-prize/> 2015 Hilton Humanitarian Award

From: Chris Inacio [mailto:inacio at cert.org] 
Sent: Tuesday, December 1, 2015 5:46 PM
To: Drew Morrigan
Cc: netsa-tools-discuss at cert.org <mailto:netsa-tools-discuss at cert.org> 
Subject: Re: [netsa-tools-discuss] Point in Time Data in Silk

 

Drew,

 

First, let me make the disclaimer that this isn't exactly my area of expertise.

 

Let me point you at a script we have on our site: prism. Prism will create a database with traffic time series data and allow for plots of that information to be created from the database as time series trend lines. You can define the bin types (in web, in, http, etc.) as you like. Using the stored prism data would greatly speed your search. (At the cost of disk space, of course.  :) but you can get nice plots too.)

 

Http://tools.netsa.cert.org/script-prism/

 

Although I got the impression you don't want something like prism. (I'm willing to bet tools like flowviewer and flowbat also have very similar features.) 

http://sourceforge.net/p/flowviewer/wiki/Home/

Http://flowbat.com

 

When I first read this, I thought you were searching for your TopTalker, but after rereading I'm second guessing and wondering if what you really want is instantaneous peak bandwidth. Those would obviously be very different things. 

 

Maybe you can answer that and an analyst will respond with better search foo than I have. 

 

Regards,

--

Chris Inacio

Inacio at cert.org <mailto:Inacio at cert.org> 

 

 

Sent from my iPad


On Dec 1, 2015, at 6:33 PM, Drew Morrigan <drewm at landesa.org <mailto:drewm at landesa.org> > wrote:

Greetings,

 

  I am using Silk 3.11 on Ubuntu Server 14.04.  I have it happily collecting data from our FWs and am currently fumbling around with the analysis tools.  I’ve been able to get some cool/useful information from those fumblings, but there is something I need I haven’t been able to put together easily on my own.

 

  Due to some changes to our environment, we will soon be making more use out of our ISP’s upload bandwidth than we have been.  We want to know how much outgoing traffic we are currently transmitting, but from a ‘snapshot’ perspective, not the total amount used.  To hopefully clarify things, here’s what I’m doing currently:

 

rwfilter --start-date=2015/10/28T00 --end-date=2015/11/30T18 --type=out,outweb --sensors=S2 --saddress=10.0.0.0/24 --pass=stdout | rwcount --bin-size=86400 --skip-zeroes

 

As I’ve come to understand things, this would give me the total data transmitted for each 24-hour period over the specified range.  I’d then drill down into those periods and determine which hours had the highest transmissions, and keep going until I reach –bin-size=1.  That would be my ‘snapshot’ upload bandwidth usage (less compression, WAN optimization, etc., of course).

 

This is, suffice to say, not an efficient process, especially since collectors are running at more than one office location.  How else could I be going about this?



Drew Morrigan |  <mailto:drewm at landesa.org> drewm at landesa.org
Systems Admin / Support Specialist


Landesa


1424 Fourth Ave., Suite 300, Seattle, WA  98101


T: 206-257-6158 | F: 206-528-5881


Skype: drewm_landesa


 <http://www.landesa.org> www.landesa.org

Recipient of the  <http://www.landesa.org/news/landesa-awarded-the-hilton-humanitarian-prize/> 2015 Hilton Humanitarian Award

-------------- next part --------------
HTML attachment scrubbed and removed
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PrismExample.zip
Type: application/x-zip-compressed
Size: 815895 bytes
Desc: not available
URL: <http://lists.sei.cmu.edu/pipermail/netsa-tools-discuss/attachments/20151202/e334b3fa/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5587 bytes
Desc: not available
URL: <http://lists.sei.cmu.edu/pipermail/netsa-tools-discuss/attachments/20151202/e334b3fa/attachment.p7s>

More information about the netsa-tools-discuss mailing list