[netsa-tools-discuss] alernate use of rwstats --percentage

Mark Thomas mthomas at cert.org
Mon Sep 21 12:39:41 EDT 2015 

I have a couple of PCAP files that contain data from a Cisco ASA,
and the NetFlow v9 templates do not include Information Element 6,
TCP_FLAGS.

If you wish to confirm this for yourself, set the
SILK_IPFIX_PRINT_TEMPLATES environment variable to 1 prior to
starting rwflowpack or flowcap.  With that variable set, rwflowpack
or flowcap print to its log file each IPFIX/NetFlow v9 template it
receives.

When the tool prints the template, it uses the IPFIX names for the
information elements, which you can find at
http://www.iana.org/assignments/ipfix/ipfix.xhtml

The IPFIX name for TCP_FLAGS is tcpControlBits.

-Mark


On Fri, 18 Sep 2015 10:54:56 +0500, asad wrote:

> This is update.
>
> I have edited the cmd as told by "Angela", now I get a very useful
> output which shows that the %Bytes value is never greater then
> 0.025112, this explains why the percentage =1 was not working.
>
> But what more strange is now, I start to question the suitability of
> cisco asa asel netflows logs here is reason why ..
>
>
> changing the command and adding params e.g --packets=4- --ack-flag=1
> delivers me zero output. Even more strange (please see attachment)
> that flags columns is empty. ( it is even empty when there is no
> --ack-flag=1 value set).
>
>
>
> On 9/16/15, asad <a.alii85 at gmail.com> wrote:
>> Thanks Angela and Evgeniy. I believe I have been unfair to part I have
>> explained my case effectively.
>>
>> There is a critical server on enterprise network who traffic I want to
>> monitor for following usage :-
>>
>> " to monitor connection to and from the server w.r.t to bytes "
>>
>> This is done to get some way of knowing "normal" behavior for the traffic
>> i.e # between server and client no of bytes send per day.
>>
>> I will try out the suggestions as soon i get access to office network
>> (currently I'm at home) and will update accordingly.
>>
>> On Wed, Sep 16, 2015 at 6:22 PM, Angela Horneman <ahorneman at cert.org>
>> wrote:
>>
>>> Asad,
>>>
>>> If you replace --percentage=1 with --count=10 in your first example,
>>> there
>>> will be a column "%Bytes" in the output. You can use that column to check
>>> if any of the 10 DIPs with the greatest byte volumes have a volume that
>>> is
>>> at least 1% of the total.
>>>
>>> Angela
>>>
>>> -----Original Message-----
>>> From: netsa-tools-discuss-bounces+ahorneman=cert.org at cert.org [mailto:
>>> netsa-tools-discuss-bounces+ahorneman=cert.org at cert.org] On Behalf Of
>>> asad
>>> Sent: Wednesday, September 16, 2015 12:49 AM
>>> To: Evgeniy Sudyr <eject.in.ua at gmail.com>
>>> Cc: netsa-tools-discuss at cert.org
>>> Subject: Re: [netsa-tools-discuss] alernate use of rwstats --percentage
>>>
>>> Thanks Eugene,
>>>
>>> My output is:-
>>>
>>>             sIP       |sPort|      dIP|       dPort|     bytes|
>>>   10.10.13.152|    0|   10.10.4.145|    0|        78|
>>>   10.10.13.152|    0|   10.10.4.145|    0|        78|
>>>   10.10.13.152|    0|   10.10.4.145|    0|        78|
>>>
>>>
>>> With command
>>>
>>> rwfilter --sensor=S0 --type=all --pass=stdout --saddress=10.10.13.152
>>> --start-date=2015/09/13:15 --end-date=2015/09/16:15 | rwsort
>>> --fields=bytes | rwcut --fields=sip,sport,dip,dport,bytes
>>>
>>> I'm getting bytes in last column, but as a percentage of total bytes from
>>> all records I don't know how to get that.
>>>
>>> thanks.
>>>
>>>
>>>
>>>
>>> On 9/15/15, Evgeniy Sudyr <eject.in.ua at gmail.com> wrote:
>>> > Ai,
>>> >
>>> > are you sure  that in your rwfilter results you have more than 1% of
>>> Bytes?
>>> >
>>> > From rwstats man page:
>>> >
>>> > *--percentage*=*N* Print the bins where the primary value is
>>> > greater-than (or less-than) *N* percent of the sum of the primary
>>> > values across all bins.
>>> >
>>> >
>>> > I think it will be useful to see --count --Packets
>>> >
>>> >
>>> > On Tue, Sep 15, 2015 at 5:31 PM, asad <a.alii85 at gmail.com> wrote:
>>> >
>>> >> Hi,
>>> >>
>>> >> I want to know what "alternate options" exists for following:-
>>> >>
>>> >> rwfilter --sensor=Vrouter1 --type=out --sport=3306 --pass=stdout
>>> >> --start-date=2012/11/13:00 --end-date=2012/11/13:23
>>> >> --saddress=172.31.253.102 | rwstats --percentage=1 --bytes
>>> >> --fields=dip
>>> >>
>>> >> I don't know why but using --percentage=1 flag, I get zero results,
>>> >> even when in records I know this IP is present. Is there any reason
>>> >> why would such happpen?
>>> >>
>>> >> Or I can move to another rwstats switch parameters to perform same
>>> >> task as trying to achieve with percentage=1
>>> >>
>>> >> Thanks.
>>> >>
>>> >>
>>> >>
>>> >
>>> >
>>> > --
>>> > --
>>> > With regards,
>>> > Eugene Sudyr
>>> >
>>>
>>>
>>

More information about the netsa-tools-discuss mailing list