[netsa-tools-discuss] alernate use of rwstats --percentage

Angela Horneman ahorneman at cert.org
Wed Sep 16 09:22:04 EDT 2015 

Asad,

If you replace --percentage=1 with --count=10 in your first example, there will be a column "%Bytes" in the output. You can use that column to check if any of the 10 DIPs with the greatest byte volumes have a volume that is at least 1% of the total.

Angela

-----Original Message-----
From: netsa-tools-discuss-bounces+ahorneman=cert.org at cert.org [mailto:netsa-tools-discuss-bounces+ahorneman=cert.org at cert.org] On Behalf Of asad
Sent: Wednesday, September 16, 2015 12:49 AM
To: Evgeniy Sudyr <eject.in.ua at gmail.com>
Cc: netsa-tools-discuss at cert.org
Subject: Re: [netsa-tools-discuss] alernate use of rwstats --percentage

Thanks Eugene,

My output is:-

            sIP       |sPort|      dIP|       dPort|     bytes|
  10.10.13.152|    0|   10.10.4.145|    0|        78|
  10.10.13.152|    0|   10.10.4.145|    0|        78|
  10.10.13.152|    0|   10.10.4.145|    0|        78|


With command

rwfilter --sensor=S0 --type=all --pass=stdout --saddress=10.10.13.152
--start-date=2015/09/13:15 --end-date=2015/09/16:15 | rwsort --fields=bytes | rwcut --fields=sip,sport,dip,dport,bytes

I'm getting bytes in last column, but as a percentage of total bytes from all records I don't know how to get that.

thanks.




On 9/15/15, Evgeniy Sudyr <eject.in.ua at gmail.com> wrote:
> Ai,
>
> are you sure  that in your rwfilter results you have more than 1% of Bytes?
>
> From rwstats man page:
>
> *--percentage*=*N* Print the bins where the primary value is 
> greater-than (or less-than) *N* percent of the sum of the primary 
> values across all bins.
>
>
> I think it will be useful to see --count --Packets
>
>
> On Tue, Sep 15, 2015 at 5:31 PM, asad <a.alii85 at gmail.com> wrote:
>
>> Hi,
>>
>> I want to know what "alternate options" exists for following:-
>>
>> rwfilter --sensor=Vrouter1 --type=out --sport=3306 --pass=stdout
>> --start-date=2012/11/13:00 --end-date=2012/11/13:23
>> --saddress=172.31.253.102 | rwstats --percentage=1 --bytes 
>> --fields=dip
>>
>> I don't know why but using --percentage=1 flag, I get zero results, 
>> even when in records I know this IP is present. Is there any reason 
>> why would such happpen?
>>
>> Or I can move to another rwstats switch parameters to perform same 
>> task as trying to achieve with percentage=1
>>
>> Thanks.
>>
>>
>>
>
>
> --
> --
> With regards,
> Eugene Sudyr
>

More information about the netsa-tools-discuss mailing list