[netsa-tools-discuss] alernate use of rwstats --percentage

asad a.alii85 at gmail.com
Wed Sep 16 10:50:47 EDT 2015


Thanks Angela and Evgeniy. I believe I have been unfair to part I have
explained my case effectively.

There is a critical server on enterprise network who traffic I want to
monitor for following usage :-

" to monitor connection to and from the server w.r.t to bytes "

This is done to get some way of knowing "normal" behavior for the traffic
i.e # between server and client no of bytes send per day.

I will try out the suggestions as soon i get access to office network
(currently I'm at home) and will update accordingly.

On Wed, Sep 16, 2015 at 6:22 PM, Angela Horneman <ahorneman at cert.org> wrote:

> Asad,
>
> If you replace --percentage=1 with --count=10 in your first example, there
> will be a column "%Bytes" in the output. You can use that column to check
> if any of the 10 DIPs with the greatest byte volumes have a volume that is
> at least 1% of the total.
>
> Angela
>
> -----Original Message-----
> From: netsa-tools-discuss-bounces+ahorneman=cert.org at cert.org [mailto:
> netsa-tools-discuss-bounces+ahorneman=cert.org at cert.org] On Behalf Of asad
> Sent: Wednesday, September 16, 2015 12:49 AM
> To: Evgeniy Sudyr <eject.in.ua at gmail.com>
> Cc: netsa-tools-discuss at cert.org
> Subject: Re: [netsa-tools-discuss] alernate use of rwstats --percentage
>
> Thanks Eugene,
>
> My output is:-
>
>             sIP       |sPort|      dIP|       dPort|     bytes|
>   10.10.13.152|    0|   10.10.4.145|    0|        78|
>   10.10.13.152|    0|   10.10.4.145|    0|        78|
>   10.10.13.152|    0|   10.10.4.145|    0|        78|
>
>
> With command
>
> rwfilter --sensor=S0 --type=all --pass=stdout --saddress=10.10.13.152
> --start-date=2015/09/13:15 --end-date=2015/09/16:15 | rwsort
> --fields=bytes | rwcut --fields=sip,sport,dip,dport,bytes
>
> I'm getting bytes in last column, but as a percentage of total bytes from
> all records I don't know how to get that.
>
> thanks.
>
>
>
>
> On 9/15/15, Evgeniy Sudyr <eject.in.ua at gmail.com> wrote:
> > Ai,
> >
> > are you sure  that in your rwfilter results you have more than 1% of
> Bytes?
> >
> > From rwstats man page:
> >
> > *--percentage*=*N* Print the bins where the primary value is
> > greater-than (or less-than) *N* percent of the sum of the primary
> > values across all bins.
> >
> >
> > I think it will be useful to see --count --Packets
> >
> >
> > On Tue, Sep 15, 2015 at 5:31 PM, asad <a.alii85 at gmail.com> wrote:
> >
> >> Hi,
> >>
> >> I want to know what "alternate options" exists for following:-
> >>
> >> rwfilter --sensor=Vrouter1 --type=out --sport=3306 --pass=stdout
> >> --start-date=2012/11/13:00 --end-date=2012/11/13:23
> >> --saddress=172.31.253.102 | rwstats --percentage=1 --bytes
> >> --fields=dip
> >>
> >> I don't know why but using --percentage=1 flag, I get zero results,
> >> even when in records I know this IP is present. Is there any reason
> >> why would such happpen?
> >>
> >> Or I can move to another rwstats switch parameters to perform same
> >> task as trying to achieve with percentage=1
> >>
> >> Thanks.
> >>
> >>
> >>
> >
> >
> > --
> > --
> > With regards,
> > Eugene Sudyr
> >
>
>
-------------- next part --------------
HTML attachment scrubbed and removed


More information about the netsa-tools-discuss mailing list