[netsa-tools-discuss] alernate use of rwstats --percentage

asad a.alii85 at gmail.com
Fri Sep 18 01:54:56 EDT 2015 

This is update.

I have edited the cmd as told by "Angela", now I get a very useful
output which shows that the %Bytes value is never greater then
0.025112, this explains why the percentage =1 was not working.

But what more strange is now, I start to question the suitability of
cisco asa asel netflows logs here is reason why ..


changing the command and adding params e.g --packets=4- --ack-flag=1
delivers me zero output. Even more strange (please see attachment)
that flags columns is empty. ( it is even empty when there is no
--ack-flag=1 value set).



On 9/16/15, asad <a.alii85 at gmail.com> wrote:
> Thanks Angela and Evgeniy. I believe I have been unfair to part I have
> explained my case effectively.
>
> There is a critical server on enterprise network who traffic I want to
> monitor for following usage :-
>
> " to monitor connection to and from the server w.r.t to bytes "
>
> This is done to get some way of knowing "normal" behavior for the traffic
> i.e # between server and client no of bytes send per day.
>
> I will try out the suggestions as soon i get access to office network
> (currently I'm at home) and will update accordingly.
>
> On Wed, Sep 16, 2015 at 6:22 PM, Angela Horneman <ahorneman at cert.org>
> wrote:
>
>> Asad,
>>
>> If you replace --percentage=1 with --count=10 in your first example,
>> there
>> will be a column "%Bytes" in the output. You can use that column to check
>> if any of the 10 DIPs with the greatest byte volumes have a volume that
>> is
>> at least 1% of the total.
>>
>> Angela
>>
>> -----Original Message-----
>> From: netsa-tools-discuss-bounces+ahorneman=cert.org at cert.org [mailto:
>> netsa-tools-discuss-bounces+ahorneman=cert.org at cert.org] On Behalf Of
>> asad
>> Sent: Wednesday, September 16, 2015 12:49 AM
>> To: Evgeniy Sudyr <eject.in.ua at gmail.com>
>> Cc: netsa-tools-discuss at cert.org
>> Subject: Re: [netsa-tools-discuss] alernate use of rwstats --percentage
>>
>> Thanks Eugene,
>>
>> My output is:-
>>
>>             sIP       |sPort|      dIP|       dPort|     bytes|
>>   10.10.13.152|    0|   10.10.4.145|    0|        78|
>>   10.10.13.152|    0|   10.10.4.145|    0|        78|
>>   10.10.13.152|    0|   10.10.4.145|    0|        78|
>>
>>
>> With command
>>
>> rwfilter --sensor=S0 --type=all --pass=stdout --saddress=10.10.13.152
>> --start-date=2015/09/13:15 --end-date=2015/09/16:15 | rwsort
>> --fields=bytes | rwcut --fields=sip,sport,dip,dport,bytes
>>
>> I'm getting bytes in last column, but as a percentage of total bytes from
>> all records I don't know how to get that.
>>
>> thanks.
>>
>>
>>
>>
>> On 9/15/15, Evgeniy Sudyr <eject.in.ua at gmail.com> wrote:
>> > Ai,
>> >
>> > are you sure  that in your rwfilter results you have more than 1% of
>> Bytes?
>> >
>> > From rwstats man page:
>> >
>> > *--percentage*=*N* Print the bins where the primary value is
>> > greater-than (or less-than) *N* percent of the sum of the primary
>> > values across all bins.
>> >
>> >
>> > I think it will be useful to see --count --Packets
>> >
>> >
>> > On Tue, Sep 15, 2015 at 5:31 PM, asad <a.alii85 at gmail.com> wrote:
>> >
>> >> Hi,
>> >>
>> >> I want to know what "alternate options" exists for following:-
>> >>
>> >> rwfilter --sensor=Vrouter1 --type=out --sport=3306 --pass=stdout
>> >> --start-date=2012/11/13:00 --end-date=2012/11/13:23
>> >> --saddress=172.31.253.102 | rwstats --percentage=1 --bytes
>> >> --fields=dip
>> >>
>> >> I don't know why but using --percentage=1 flag, I get zero results,
>> >> even when in records I know this IP is present. Is there any reason
>> >> why would such happpen?
>> >>
>> >> Or I can move to another rwstats switch parameters to perform same
>> >> task as trying to achieve with percentage=1
>> >>
>> >> Thanks.
>> >>
>> >>
>> >>
>> >
>> >
>> > --
>> > --
>> > With regards,
>> > Eugene Sudyr
>> >
>>
>>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: php5YKmUW
Type: application/octet-stream
Size: 26599 bytes
Desc: not available
URL: <http://lists.sei.cmu.edu/pipermail/netsa-tools-discuss/attachments/20150918/8dbb4248/attachment.obj>

More information about the netsa-tools-discuss mailing list