[netsa-tools-discuss] alernate use of rwstats --percentage

asad a.alii85 at gmail.com
Wed Sep 23 13:19:08 EDT 2015 

I have set the env variable with "export" command however on

cat /var/log/rwflowpack-*.log

I see nothing of interest? I'm missing something.



On Wed, Sep 23, 2015 at 1:33 PM, asad <a.alii85 at gmail.com> wrote:

> Thomas,
>
> Can you educate me how to set env variable "SILK_IPFIX_PRINT_TEMPLATES"?
>
> On 9/21/15, Mark Thomas <mthomas at cert.org> wrote:
> > I have a couple of PCAP files that contain data from a Cisco ASA,
> > and the NetFlow v9 templates do not include Information Element 6,
> > TCP_FLAGS.
> >
> > If you wish to confirm this for yourself, set the
> > SILK_IPFIX_PRINT_TEMPLATES environment variable to 1 prior to
> > starting rwflowpack or flowcap.  With that variable set, rwflowpack
> > or flowcap print to its log file each IPFIX/NetFlow v9 template it
> > receives.
> >
> > When the tool prints the template, it uses the IPFIX names for the
> > information elements, which you can find at
> > http://www.iana.org/assignments/ipfix/ipfix.xhtml
> >
> > The IPFIX name for TCP_FLAGS is tcpControlBits.
> >
> > -Mark
> >
> >
> > On Fri, 18 Sep 2015 10:54:56 +0500, asad wrote:
> >
> >> This is update.
> >>
> >> I have edited the cmd as told by "Angela", now I get a very useful
> >> output which shows that the %Bytes value is never greater then
> >> 0.025112, this explains why the percentage =1 was not working.
> >>
> >> But what more strange is now, I start to question the suitability of
> >> cisco asa asel netflows logs here is reason why ..
> >>
> >>
> >> changing the command and adding params e.g --packets=4- --ack-flag=1
> >> delivers me zero output. Even more strange (please see attachment)
> >> that flags columns is empty. ( it is even empty when there is no
> >> --ack-flag=1 value set).
> >>
> >>
> >>
> >> On 9/16/15, asad <a.alii85 at gmail.com> wrote:
> >>> Thanks Angela and Evgeniy. I believe I have been unfair to part I have
> >>> explained my case effectively.
> >>>
> >>> There is a critical server on enterprise network who traffic I want to
> >>> monitor for following usage :-
> >>>
> >>> " to monitor connection to and from the server w.r.t to bytes "
> >>>
> >>> This is done to get some way of knowing "normal" behavior for the
> >>> traffic
> >>> i.e # between server and client no of bytes send per day.
> >>>
> >>> I will try out the suggestions as soon i get access to office network
> >>> (currently I'm at home) and will update accordingly.
> >>>
> >>> On Wed, Sep 16, 2015 at 6:22 PM, Angela Horneman <ahorneman at cert.org>
> >>> wrote:
> >>>
> >>>> Asad,
> >>>>
> >>>> If you replace --percentage=1 with --count=10 in your first example,
> >>>> there
> >>>> will be a column "%Bytes" in the output. You can use that column to
> >>>> check
> >>>> if any of the 10 DIPs with the greatest byte volumes have a volume
> that
> >>>> is
> >>>> at least 1% of the total.
> >>>>
> >>>> Angela
> >>>>
> >>>> -----Original Message-----
> >>>> From: netsa-tools-discuss-bounces+ahorneman=cert.org at cert.org
> [mailto:
> >>>> netsa-tools-discuss-bounces+ahorneman=cert.org at cert.org] On Behalf Of
> >>>> asad
> >>>> Sent: Wednesday, September 16, 2015 12:49 AM
> >>>> To: Evgeniy Sudyr <eject.in.ua at gmail.com>
> >>>> Cc: netsa-tools-discuss at cert.org
> >>>> Subject: Re: [netsa-tools-discuss] alernate use of rwstats
> --percentage
> >>>>
> >>>> Thanks Eugene,
> >>>>
> >>>> My output is:-
> >>>>
> >>>>             sIP       |sPort|      dIP|       dPort|     bytes|
> >>>>   10.10.13.152|    0|   10.10.4.145|    0|        78|
> >>>>   10.10.13.152|    0|   10.10.4.145|    0|        78|
> >>>>   10.10.13.152|    0|   10.10.4.145|    0|        78|
> >>>>
> >>>>
> >>>> With command
> >>>>
> >>>> rwfilter --sensor=S0 --type=all --pass=stdout --saddress=10.10.13.152
> >>>> --start-date=2015/09/13:15 --end-date=2015/09/16:15 | rwsort
> >>>> --fields=bytes | rwcut --fields=sip,sport,dip,dport,bytes
> >>>>
> >>>> I'm getting bytes in last column, but as a percentage of total bytes
> >>>> from
> >>>> all records I don't know how to get that.
> >>>>
> >>>> thanks.
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> On 9/15/15, Evgeniy Sudyr <eject.in.ua at gmail.com> wrote:
> >>>> > Ai,
> >>>> >
> >>>> > are you sure  that in your rwfilter results you have more than 1% of
> >>>> Bytes?
> >>>> >
> >>>> > From rwstats man page:
> >>>> >
> >>>> > *--percentage*=*N* Print the bins where the primary value is
> >>>> > greater-than (or less-than) *N* percent of the sum of the primary
> >>>> > values across all bins.
> >>>> >
> >>>> >
> >>>> > I think it will be useful to see --count --Packets
> >>>> >
> >>>> >
> >>>> > On Tue, Sep 15, 2015 at 5:31 PM, asad <a.alii85 at gmail.com> wrote:
> >>>> >
> >>>> >> Hi,
> >>>> >>
> >>>> >> I want to know what "alternate options" exists for following:-
> >>>> >>
> >>>> >> rwfilter --sensor=Vrouter1 --type=out --sport=3306 --pass=stdout
> >>>> >> --start-date=2012/11/13:00 --end-date=2012/11/13:23
> >>>> >> --saddress=172.31.253.102 | rwstats --percentage=1 --bytes
> >>>> >> --fields=dip
> >>>> >>
> >>>> >> I don't know why but using --percentage=1 flag, I get zero results,
> >>>> >> even when in records I know this IP is present. Is there any reason
> >>>> >> why would such happpen?
> >>>> >>
> >>>> >> Or I can move to another rwstats switch parameters to perform same
> >>>> >> task as trying to achieve with percentage=1
> >>>> >>
> >>>> >> Thanks.
> >>>> >>
> >>>> >>
> >>>> >>
> >>>> >
> >>>> >
> >>>> > --
> >>>> > --
> >>>> > With regards,
> >>>> > Eugene Sudyr
> >>>> >
> >>>>
> >>>>
> >>>
> >
>
-------------- next part --------------
HTML attachment scrubbed and removed

More information about the netsa-tools-discuss mailing list