[netsa-tools-discuss] alernate use of rwstats --percentage
asad
a.alii85 at gmail.com
Wed Sep 23 04:33:06 EDT 2015
Thomas,
Can you educate me how to set env variable "SILK_IPFIX_PRINT_TEMPLATES"?
On 9/21/15, Mark Thomas <mthomas at cert.org> wrote:
> I have a couple of PCAP files that contain data from a Cisco ASA,
> and the NetFlow v9 templates do not include Information Element 6,
> TCP_FLAGS.
>
> If you wish to confirm this for yourself, set the
> SILK_IPFIX_PRINT_TEMPLATES environment variable to 1 prior to
> starting rwflowpack or flowcap. With that variable set, rwflowpack
> or flowcap print to its log file each IPFIX/NetFlow v9 template it
> receives.
>
> When the tool prints the template, it uses the IPFIX names for the
> information elements, which you can find at
> http://www.iana.org/assignments/ipfix/ipfix.xhtml
>
> The IPFIX name for TCP_FLAGS is tcpControlBits.
>
> -Mark
>
>
> On Fri, 18 Sep 2015 10:54:56 +0500, asad wrote:
>
>> This is update.
>>
>> I have edited the cmd as told by "Angela", now I get a very useful
>> output which shows that the %Bytes value is never greater then
>> 0.025112, this explains why the percentage =1 was not working.
>>
>> But what more strange is now, I start to question the suitability of
>> cisco asa asel netflows logs here is reason why ..
>>
>>
>> changing the command and adding params e.g --packets=4- --ack-flag=1
>> delivers me zero output. Even more strange (please see attachment)
>> that flags columns is empty. ( it is even empty when there is no
>> --ack-flag=1 value set).
>>
>>
>>
>> On 9/16/15, asad <a.alii85 at gmail.com> wrote:
>>> Thanks Angela and Evgeniy. I believe I have been unfair to part I have
>>> explained my case effectively.
>>>
>>> There is a critical server on enterprise network who traffic I want to
>>> monitor for following usage :-
>>>
>>> " to monitor connection to and from the server w.r.t to bytes "
>>>
>>> This is done to get some way of knowing "normal" behavior for the
>>> traffic
>>> i.e # between server and client no of bytes send per day.
>>>
>>> I will try out the suggestions as soon i get access to office network
>>> (currently I'm at home) and will update accordingly.
>>>
>>> On Wed, Sep 16, 2015 at 6:22 PM, Angela Horneman <ahorneman at cert.org>
>>> wrote:
>>>
>>>> Asad,
>>>>
>>>> If you replace --percentage=1 with --count=10 in your first example,
>>>> there
>>>> will be a column "%Bytes" in the output. You can use that column to
>>>> check
>>>> if any of the 10 DIPs with the greatest byte volumes have a volume that
>>>> is
>>>> at least 1% of the total.
>>>>
>>>> Angela
>>>>
>>>> -----Original Message-----
>>>> From: netsa-tools-discuss-bounces+ahorneman=cert.org at cert.org [mailto:
>>>> netsa-tools-discuss-bounces+ahorneman=cert.org at cert.org] On Behalf Of
>>>> asad
>>>> Sent: Wednesday, September 16, 2015 12:49 AM
>>>> To: Evgeniy Sudyr <eject.in.ua at gmail.com>
>>>> Cc: netsa-tools-discuss at cert.org
>>>> Subject: Re: [netsa-tools-discuss] alernate use of rwstats --percentage
>>>>
>>>> Thanks Eugene,
>>>>
>>>> My output is:-
>>>>
>>>> sIP |sPort| dIP| dPort| bytes|
>>>> 10.10.13.152| 0| 10.10.4.145| 0| 78|
>>>> 10.10.13.152| 0| 10.10.4.145| 0| 78|
>>>> 10.10.13.152| 0| 10.10.4.145| 0| 78|
>>>>
>>>>
>>>> With command
>>>>
>>>> rwfilter --sensor=S0 --type=all --pass=stdout --saddress=10.10.13.152
>>>> --start-date=2015/09/13:15 --end-date=2015/09/16:15 | rwsort
>>>> --fields=bytes | rwcut --fields=sip,sport,dip,dport,bytes
>>>>
>>>> I'm getting bytes in last column, but as a percentage of total bytes
>>>> from
>>>> all records I don't know how to get that.
>>>>
>>>> thanks.
>>>>
>>>>
>>>>
>>>>
>>>> On 9/15/15, Evgeniy Sudyr <eject.in.ua at gmail.com> wrote:
>>>> > Ai,
>>>> >
>>>> > are you sure that in your rwfilter results you have more than 1% of
>>>> Bytes?
>>>> >
>>>> > From rwstats man page:
>>>> >
>>>> > *--percentage*=*N* Print the bins where the primary value is
>>>> > greater-than (or less-than) *N* percent of the sum of the primary
>>>> > values across all bins.
>>>> >
>>>> >
>>>> > I think it will be useful to see --count --Packets
>>>> >
>>>> >
>>>> > On Tue, Sep 15, 2015 at 5:31 PM, asad <a.alii85 at gmail.com> wrote:
>>>> >
>>>> >> Hi,
>>>> >>
>>>> >> I want to know what "alternate options" exists for following:-
>>>> >>
>>>> >> rwfilter --sensor=Vrouter1 --type=out --sport=3306 --pass=stdout
>>>> >> --start-date=2012/11/13:00 --end-date=2012/11/13:23
>>>> >> --saddress=172.31.253.102 | rwstats --percentage=1 --bytes
>>>> >> --fields=dip
>>>> >>
>>>> >> I don't know why but using --percentage=1 flag, I get zero results,
>>>> >> even when in records I know this IP is present. Is there any reason
>>>> >> why would such happpen?
>>>> >>
>>>> >> Or I can move to another rwstats switch parameters to perform same
>>>> >> task as trying to achieve with percentage=1
>>>> >>
>>>> >> Thanks.
>>>> >>
>>>> >>
>>>> >>
>>>> >
>>>> >
>>>> > --
>>>> > --
>>>> > With regards,
>>>> > Eugene Sudyr
>>>> >
>>>>
>>>>
>>>
>
More information about the netsa-tools-discuss
mailing list