[netsa-tools-discuss] alernate use of rwstats --percentage
asad
a.alii85 at gmail.com
Mon Sep 28 04:02:13 EDT 2015
Like, I know the correct configuration file is kept at
/etc/nsm/NW-SEC-06-eth0/rwflowpack.conf
and I was looking in wrong location /usr/local/share/silk/etc/rwflowpack.conf
But what tells /etc/init.d/rwflowpack to look where? Thanks.
On 9/28/15, asad <a.alii85 at gmail.com> wrote:
> I got good news:) Its working.Thanks Thomas
>
>
> Sep 28 17:31:06 NW-SEC-06 rwflowpack[23251]: Domain 0x0000, TemplateID
> 0x010C, Position 0, Length 4, IE 148, Name flowId
> Sep 28 17:31:06 NW-SEC-06 rwflowpack[23251]: Domain 0x0000, TemplateID
> 0x010C, Position 1, Length 16, IE 27, Name
> sourceIPv6Address
> Sep 28 17:31:06 NW-SEC-06 rwflowpack[23251]: Domain 0x0000, TemplateID
> 0x010C, Position 2, Length 2, IE 7, Name
> sourceTransportPort
> Sep 28 17:31:06 NW-SEC-06 rwflowpack[23251]: Domain 0x0000, TemplateID
> 0x010C, Position 3, Length 2, IE 10, Name
> ingressInterface
> Sep 28 17:31:06 NW-SEC-06 rwflowpack[23251]: Domain 0x0000, TemplateID
> 0x010C, Position 4, Length 16, IE 28, Name
> destinationIPv6Address
> Sep 28 17:31:06 NW-SEC-06 rwflowpack[23251]: Domain 0x0000, TemplateID
> 0x010C, Position 5, Length 2, IE 11, Name
> destinationTransportPort
> Sep 28 17:31:06 NW-SEC-06 rwflowpack[23251]: Domain 0x0000, TemplateID
> 0x010C, Position 6, Length 2, IE 14, Name
> egressInterface
> Sep 28 17:31:06 NW-SEC-06 rwflowpack[23251]: Domain 0x0000, TemplateID
> 0x010C, Position 7, Length 1, IE 4, Name
> protocolIdentifier
> Sep 28 17:31:06 NW-SEC-06 rwflowpack[23251]: Domain 0x0000, TemplateID
> 0x010C, Position 8, Length 1, IE 178, Name icmpTypeIPv6
> Sep 28 17:31:06 NW-SEC-06 rwflowpack[23251]: Domain 0x0000, TemplateID
> 0x010C, Position 9, Length 1, IE 179, Name icmpCodeIPv6
> Sep 28 17:31:06 NW-SEC-06 rwflowpack[23251]: Domain 0x0000, TemplateID
> 0x010C, Position 10, Length 1, IE 9998, Name NF_F_FW_EVENT
> Sep 28 17:31:06 NW-SEC-06 rwflowpack[23251]: Domain 0x0000, TemplateID
> 0x010C, Position 11, Length 2, IE 9997, Name
> NF_F_FW_EXT_EVENT
> Sep 28 17:31:06 NW-SEC-06 rwflowpack[23251]: Domain 0x0000, TemplateID
> 0x010C, Position 12, Length 8, IE 323, Name
> observationTimeMilliseconds
> Sep 28 17:31:06 NW-SEC-06 rwflowpack[23251]: Domain 0x0000, TemplateID
> 0x010C, Position 13, Length 4, IE 85, Name
> octetTotalCount
> Sep 28 17:31:06 NW-SEC-06 rwflowpack[23251]: Domain 0x0000, TemplateID
> 0x010C, Position 14, Length 8, IE 152, Name
> flowStartMilliseconds
> Sep 28 17:31:06 NW-SEC-06 rwflowpack[23251]: Domain 0x0000, TemplateID
> 0x010C, Position 15, Length 12, IE 9999, Name
> ciscoNetflowGeneric
> Sep 28 17:31:06 NW-SEC-06 rwflowpack[23251]: Domain 0x0000, TemplateID
> 0x010C, Position 16, Length 12, IE 9999, Name
> ciscoNetflowGeneric
> Sep 28 17:31:06 NW-SEC-06 rwflowpack[23251]: Domain 0x0000, TemplateID
> 0x010C, Position 17, Length 65, IE 9999, Name
> ciscoNetflowGeneric
>
> Funny thing, I got it working by add code /etc/init.d/rwflowpack.conf,
> so I have two questions
>
> 1)/usr/local/share/silk/etc/rwflowpack.conf only contains DEFAULT
> configuration.
> Then where its get the format
>
> usr/local/sbin/rwflowpack
> --sensor-configuration=/etc/nsm/NW-SEC-06-eth0/sensors.conf
> --site-config-file=/etc/nsm/NW-SEC-06-eth0/silk.conf
> --archive-directory=/nsm/sensor_data/NW-SEC-06-eth0/silk/archive
> --output-mode=local-storage
> --root-directory=/nsm/sensor_data/NW-SEC-06-eth0/silk/
> --pidfile=/var/log/rwflowpack.pid --log-level=info
> --log-directory=/var/log --log-basename=rwflowpack
>
> I'm bit perplexed. Thanks.
>
>
> On 9/28/15, asad <a.alii85 at gmail.com> wrote:
>> Thomas,
>>
>> I have supplied the same configuration at my production systems at
>> office with the following minor changes. I'm not using YAF to get
>> flows to SILK, infact I'm using
>>
>> probe S0 netflow-v9
>> listen-on-port 2055
>> protocol udp
>> quirks zero-packets
>>
>>
>> Also, I'm running rwflowpack from "/usr/local/sbin/rwflowpack". I have
>> supplied the
>> export SILK_IPFIX_PRINT_TEMPLATES=1 as required.
>>
>> I'm looking for text in /var/log/rwflowpack-* for
>> " Domain 0x0000, TemplateID 0x0108, Position 6, Length 4, IE 8, Name
>> sourceIPv4Address"
>>
>> But not finding anything in related to it. Cisco ASA is configred to
>> send the template for every minute. I even delete today log file in
>> /var/log to lower the size and making searching easy, but still I see
>> no "template info".
>>
>> Kindly help.
>>
>> regards
>> asad
>>
>> On 9/25/15, Mark Thomas <mthomas at cert.org> wrote:
>>> With the environment variable set, you will see the template
>>> information in the rwflowpack log file whenever rwflowpack receives
>>> an IPFIX template from yaf or a NetFlow v9 template from your
>>> router.
>>>
>>> The template information printed by rwflowpack uses the IPFIX names
>>> for each information element. The list of IPFIX information
>>> elements is maintained by IANA
>>> http://www.iana.org/assignments/ipfix/ipfix.xhtml
>>>
>>> In rwflowpack, a source IPv4 address will be printed as:
>>>
>>> Domain 0x0000, TemplateID 0x0108, Position 6, Length 4, IE 8, Name
>>> sourceIPv4Address
>>>
>>> where "IE 8" is the numeric identifier for the information element.
>>>
>>> The NetFlow v9 names for information elements 1 to 79 can be found
>>> in the NetFlow v9 RFC. http://tools.ietf.org/html/rfc3954
>>>
>>> When using the CFLOW filter in Wireshark to view either IPFIX or
>>> NetFlow v9 template, a source IPv4 address will be printed as:
>>>
>>> Field (6/21): IP_SRC_ADDR
>>> Type: IP_SRC_ADDR (8)
>>> Length: 4
>>>
>>> The names used by Wireshark are sometimes the same as the NetFlow v9
>>> names.
>>>
>>> Information element 6 contains the union of TCP flags across all
>>> packets in a TCP flow record. The information element is called
>>> tcpControlBits by IPFIX, and it is called TCP_FLAGS by Cisco and
>>> Wireshark.
>>>
>>> However, if the template does not contain this element, there is no
>>> way for SiLK to get the TCP Flags.
>>>
>>> Note that Cisco says they do not populate the TCP Flags fields on
>>> the ASA.
>>> https://supportforums.cisco.com/document/30471/netflow-asa
>>>
>>> NetFlow on the ASA vs IOS
>>>
>>> The ASA only supports NetFlow version 9 and there are no plans to
>>> support NetFlow version 5. NetFlow on the ASA is event
>>> driven. Unlike routing platforms we do not send incremental
>>> updates; NSEL records are only sent during flow creation, teardown
>>> or ACL deny events. Also unlike the routing platforms we will not
>>> populate the ToS bits or the TCP flags. Lastly, all flows on the
>>> ASA are bidirectional. All counters for a flow will increase for
>>> traffic flowing from A->B or B->A.
>>>
>>>
>>> I hope that helps.
>>>
>>> -Mark
>>>
>>>
>>> On Thu, 24 Sep 2015 13:55:37 +0500, asad wrote:
>>>
>>>> You were right,there was problem with the order I was running the
>>>> commands,
>>>> Now I got it to work and I see the logs are being populated, now the
>>>> only
>>>> thing missing is " Information Element 6,TCP_FLAGS." which I'm
>>>> interested
>>>> in.
>>>>
>>>> I'm using pcap files which is non-cisco asa based, I just couldn't find
>>>> one
>>>> that matches my production env e.g cisco 5585-x. If you can safely if
>>>> size
>>>> and privacy allows you can send me some sample pcap files to replay
>>>> with.
>>>>
>>>> Or perhaps without the required pcap files I'm still supposed to see
>>>> some
>>>> "template info" in the logs, In this case I go back to point of config
>>>> SILK_IPFIX_PRINT_TEMPLATES.
>>>>
>>>> Also, in the ps -auxx | grep rwflowpack
>>>>
>>>> I also see /etc/init.d/rwflowpack though I never used rwflowpack.conf.
>>>> I
>>>> hope there is no conflict.
>>>>
>>>> On Thu, Sep 24, 2015 at 1:26 AM, Mark Thomas <mthomas at cert.org> wrote:
>>>>
>>>>> Thank you for providing the versions of the tools you are running
>>>>> and the command lines you are using to invoke the tools.
>>>>>
>>>>> The order in which things are started is important.
>>>>>
>>>>> rwflowpack only checks the SILK_IPFIX_PRINT_TEMPLATES variable once
>>>>> when it is invoked, so the variable must be set prior to starting
>>>>> rwflowpack. The variable must be set to a non-empty value, and the
>>>>> first character should not be 0.
>>>>>
>>>>> You are running YAF over a TCP connection. In this case, YAF only
>>>>> sends the IPFIX templates one time--typically when YAF first
>>>>> connects to rwflowpack.
>>>>>
>>>>> For rwflowpack to print the templates, you must:
>>>>>
>>>>> 1. Set the SILK_IPFIX_PRINT_TEMPLATES environment variable to 1.
>>>>>
>>>>> 2. Start rwflowpack.
>>>>>
>>>>> 3. Start YAF.
>>>>>
>>>>> When YAF connects to rwflowpack, the log file will contain lines
>>>>> that look similar to:
>>>>>
>>>>> Sep 23 16:14:42 mac rwflowpack[65061]: 'Irouter': accepted
>>>>> connection
>>>>> from 127.0.0.1:55901
>>>>> Sep 23 16:14:42 mac rwflowpack[65061]: Domain 0x0000, TemplateID
>>>>> 0xC013,
>>>>> Contains 6 Elements, Enabled by SILK_IPFIX_PRINT_TEMPLATES
>>>>> Sep 23 16:14:42 mac rwflowpack[65061]: Domain 0x0000, TemplateID
>>>>> 0xC013,
>>>>> Position 0, Length 4, IE 184, Name tcpSequenceNumber
>>>>> Sep 23 16:14:42 mac rwflowpack[65061]: Domain 0x0000, TemplateID
>>>>> 0xC013,
>>>>> Position 1, Length 1, IE 6871/ 14, Name initialTCPFlags
>>>>> Sep 23 16:14:42 mac rwflowpack[65061]: Domain 0x0000, TemplateID
>>>>> 0xC013,
>>>>> Position 2, Length 1, IE 6871/ 15, Name unionTCPFlags
>>>>> ...
>>>>>
>>>>> In my set-up, I saw 11 templates:
>>>>>
>>>>> TemplateID 0xC013, Contains 6 Elements
>>>>> TemplateID 0xC015, Contains 23 Elements
>>>>> TemplateID 0xC016, Contains 6 Elements
>>>>> TemplateID 0xC018, Contains 2 Elements
>>>>> TemplateID 0xB800, Contains 39 Elements
>>>>> TemplateID 0xC003, Contains 3 Elements
>>>>> TemplateID 0xC004, Contains 2 Elements
>>>>> TemplateID 0xC005, Contains 11 Elements
>>>>> TemplateID 0xC006, Contains 3 Elements
>>>>> TemplateID 0xD000, Contains 14 Elements
>>>>> TemplateID 0xC008, Contains 1 Elements
>>>>>
>>>>> I hope that helps.
>>>>>
>>>>> -Mark
>>>>>
>>>>>
>>>>> On Thu, 24 Sep 2015 00:29:10 +0500, asad wrote:
>>>>>
>>>>> > Thanks Thomas, for such comprehensive explanation. From
>>>>> > silk-summary.txt
>>>>> > file I can verify that my
>>>>> >
>>>>> > SILK 3.10.2
>>>>> > libfixbuf-1.7.0 >= 1.6.0
>>>>> >
>>>>> > The command I used is
>>>>> >
>>>>> > rwflowpack \
>>>>> > --sensor-configuration=/data/sensors.conf \
>>>>> > --site-config-file=/data/silk.conf \
>>>>> > --archive-directory=/usr/local/var/lib/rwflowpack/archive \
>>>>> > --output-mode=local-storage \
>>>>> > --root-directory=/data \
>>>>> > --pidfile=/var/log/rwflowpack.pid --log-level=info \
>>>>> > --log-directory=/var/log --log-basename=rwflowpack \
>>>>> >
>>>>> > But I don't see in logs any "information element". I'm using
>>>>> > tcpreplay
>>>>> > tool, to replay a sample pcap files (since I'm home now), but in
>>>>> > logs
>>>>> > I
>>>>> see
>>>>> > as
>>>>> >
>>>>> > "Sep 24 00:24:04 Silky-flows rwflowpack[812]: 'S0': forward 0,
>>>>> > reverse
>>>>> > 0,
>>>>> > ignored 0; yaf: recs 0, pkts 0, dropped-pkts 0, ignored-pkts 0,
>>>>> > bad-sequence-pkts 0, expired-frags 0"
>>>>> >
>>>>> > I have tested with cmd
>>>>> >
>>>>> > "
>>>>> >
>>>>> > yaf --silk --ipfix=tcp --live=pcap --out=127.0.0.1 \
>>>>> > --ipfix-port=18001 --in=eth0 --applabel --max-payload=384 &"
>>>>> >
>>>>> >
>>>>> > and it works fine logs are made as they should.
>>>>> >
>>>>> >
>>>>> > On Wed, Sep 23, 2015 at 10:26 PM, Mark Thomas <mthomas at cert.org>
>>>>> > wrote:
>>>>> >
>>>>> >> The way that you set the environment variable depends on how your
>>>>> >> are starting rwflowpack or flowcap.
>>>>> >>
>>>>> >> 1. Using the start-up scripts.
>>>>> >>
>>>>> >> Follow these instructions if you set variables in the the
>>>>> >> rwflowpack.conf configuration file and then run the rwflowpack
>>>>> >> shell
>>>>> >> script as
>>>>> >>
>>>>> >> rwflowpack start
>>>>> >>
>>>>> >> The rwflowpack shell script is typically installed in the directory
>>>>> >> $prefix/share/silk/etc/init.d. In the RedHat RPMs, the start-up
>>>>> >> script is installed in /etc/init.d/rwflowpack.
>>>>> >>
>>>>> >> These instructions also apply for flowcap.
>>>>> >>
>>>>> >> Find the rwflowpack start-up script or the flowcap start-up script.
>>>>> >> Within that script, find the start() subroutine. In that
>>>>> >> subroutine, find the following:
>>>>> >>
>>>>> >> if [ X`whoami` = "X${USER}" ] ; then
>>>>> >> eval "${PROG_PATH} ${PROG_OPTIONS} ${EXTRA_OPTIONS} &"
>>>>> >> else
>>>>> >> su - ${USER} -c "${PROG_PATH} ${PROG_OPTIONS} ${EXTRA_OPTIONS}
>>>>> >> &"
>>>>> >> fi
>>>>> >>
>>>>> >> Insert SILK_IPFIX_PRINT_TEMPLATES=1 after the initial double quote.
>>>>> >> The result should read:
>>>>> >>
>>>>> >> if [ X`whoami` = "X${USER}" ] ; then
>>>>> >> eval "SILK_IPFIX_PRINT_TEMPLATES=1 ${PROG_PATH} ${PROG_OPTIONS}
>>>>> >> ${EXTRA_OPTIONS} &"
>>>>> >> else
>>>>> >> su - ${USER} -c "SILK_IPFIX_PRINT_TEMPLATES=1 ${PROG_PATH}
>>>>> >> ${PROG_OPTIONS} ${EXTRA_OPTIONS} &"
>>>>> >> fi
>>>>> >>
>>>>> >>
>>>>> >>
>>>>> >> 2. Starting from the command line.
>>>>> >>
>>>>> >> Follow these instructions if you invoke the rwflowpack or flowcap
>>>>> >> binary from the command line and specify its command line options
>>>>> >> as
>>>>> >> part of the command, such as
>>>>> >>
>>>>> >> rwflowpack --root-directory=/data ...
>>>>> >>
>>>>> >> These binaries are typically installed in $prefix/sbin.
>>>>> >>
>>>>> >> In this case, you can set the SILK_IPFIX_PRINT_TEMPLATES
>>>>> >> environment
>>>>> >> variable as you set any other environment variable in a modern
>>>>> >> Bourne-compatible shell:
>>>>> >>
>>>>> >> export SILK_IPFIX_PRINT_TEMPLATES=1
>>>>> >> rwflowpack --root-directory=/data ...
>>>>> >>
>>>>> >>
>>>>> >>
>>>>> >> This feature requires SiLK 3.8.2 or newer and libfixbuf-1.4.0 or
>>>>> >> newer.
>>>>> >>
>>>>> >> -Mark
>>>>> >>
>>>>> >>
>>>>> >> On Wed, 23 Sep 2015 13:33:06 +0500, asad wrote:
>>>>> >>
>>>>> >> > Thomas,
>>>>> >> >
>>>>> >> > Can you educate me how to set env variable
>>>>> "SILK_IPFIX_PRINT_TEMPLATES"?
>>>>> >> >
>>>>> >> > On 9/21/15, Mark Thomas <mthomas at cert.org> wrote:
>>>>> >> >> I have a couple of PCAP files that contain data from a Cisco
>>>>> >> >> ASA,
>>>>> >> >> and the NetFlow v9 templates do not include Information Element
>>>>> >> >> 6,
>>>>> >> >> TCP_FLAGS.
>>>>> >> >>
>>>>> >> >> If you wish to confirm this for yourself, set the
>>>>> >> >> SILK_IPFIX_PRINT_TEMPLATES environment variable to 1 prior to
>>>>> >> >> starting rwflowpack or flowcap. With that variable set,
>>>>> >> >> rwflowpack
>>>>> >> >> or flowcap print to its log file each IPFIX/NetFlow v9 template
>>>>> >> >> it
>>>>> >> >> receives.
>>>>> >> >>
>>>>> >> >> When the tool prints the template, it uses the IPFIX names for
>>>>> >> >> the
>>>>> >> >> information elements, which you can find at
>>>>> >> >> http://www.iana.org/assignments/ipfix/ipfix.xhtml
>>>>> >> >>
>>>>> >> >> The IPFIX name for TCP_FLAGS is tcpControlBits.
>>>>> >> >>
>>>>> >> >> -Mark
>>>>> >> >>
>>>>> >> >>
>>>>> >> >> On Fri, 18 Sep 2015 10:54:56 +0500, asad wrote:
>>>>> >> >>
>>>>> >> >>> This is update.
>>>>> >> >>>
>>>>> >> >>> I have edited the cmd as told by "Angela", now I get a very
>>>>> >> >>> useful
>>>>> >> >>> output which shows that the %Bytes value is never greater then
>>>>> >> >>> 0.025112, this explains why the percentage =1 was not working.
>>>>> >> >>>
>>>>> >> >>> But what more strange is now, I start to question the
>>>>> >> >>> suitability
>>>>> >> >>> of
>>>>> >> >>> cisco asa asel netflows logs here is reason why ..
>>>>> >> >>>
>>>>> >> >>>
>>>>> >> >>> changing the command and adding params e.g --packets=4-
>>>>> >> >>> --ack-flag=1
>>>>> >> >>> delivers me zero output. Even more strange (please see
>>>>> >> >>> attachment)
>>>>> >> >>> that flags columns is empty. ( it is even empty when there is
>>>>> >> >>> no
>>>>> >> >>> --ack-flag=1 value set).
>>>>> >> >>>
>>>>> >> >>>
>>>>> >> >>>
>>>>> >> >>> On 9/16/15, asad <a.alii85 at gmail.com> wrote:
>>>>> >> >>>> Thanks Angela and Evgeniy. I believe I have been unfair to
>>>>> >> >>>> part
>>>>> >> >>>> I
>>>>> have
>>>>> >> >>>> explained my case effectively.
>>>>> >> >>>>
>>>>> >> >>>> There is a critical server on enterprise network who traffic I
>>>>> want to
>>>>> >> >>>> monitor for following usage :-
>>>>> >> >>>>
>>>>> >> >>>> " to monitor connection to and from the server w.r.t to bytes
>>>>> >> >>>> "
>>>>> >> >>>>
>>>>> >> >>>> This is done to get some way of knowing "normal" behavior for
>>>>> >> >>>> the
>>>>> >> >>>> traffic
>>>>> >> >>>> i.e # between server and client no of bytes send per day.
>>>>> >> >>>>
>>>>> >> >>>> I will try out the suggestions as soon i get access to office
>>>>> network
>>>>> >> >>>> (currently I'm at home) and will update accordingly.
>>>>> >> >>>>
>>>>> >> >>>> On Wed, Sep 16, 2015 at 6:22 PM, Angela Horneman <
>>>>> ahorneman at cert.org>
>>>>> >> >>>> wrote:
>>>>> >> >>>>
>>>>> >> >>>>> Asad,
>>>>> >> >>>>>
>>>>> >> >>>>> If you replace --percentage=1 with --count=10 in your first
>>>>> example,
>>>>> >> >>>>> there
>>>>> >> >>>>> will be a column "%Bytes" in the output. You can use that
>>>>> >> >>>>> column
>>>>> to
>>>>> >> >>>>> check
>>>>> >> >>>>> if any of the 10 DIPs with the greatest byte volumes have a
>>>>> >> >>>>> volume
>>>>> >> that
>>>>> >> >>>>> is
>>>>> >> >>>>> at least 1% of the total.
>>>>> >> >>>>>
>>>>> >> >>>>> Angela
>>>>> >> >>>>>
>>>>> >> >>>>> -----Original Message-----
>>>>> >> >>>>> From: netsa-tools-discuss-bounces+ahorneman=cert.org at cert.org
>>>>> >> [mailto:
>>>>> >> >>>>> netsa-tools-discuss-bounces+ahorneman=cert.org at cert.org] On
>>>>> Behalf
>>>>> >> Of
>>>>> >> >>>>> asad
>>>>> >> >>>>> Sent: Wednesday, September 16, 2015 12:49 AM
>>>>> >> >>>>> To: Evgeniy Sudyr <eject.in.ua at gmail.com>
>>>>> >> >>>>> Cc: netsa-tools-discuss at cert.org
>>>>> >> >>>>> Subject: Re: [netsa-tools-discuss] alernate use of rwstats
>>>>> >> --percentage
>>>>> >> >>>>>
>>>>> >> >>>>> Thanks Eugene,
>>>>> >> >>>>>
>>>>> >> >>>>> My output is:-
>>>>> >> >>>>>
>>>>> >> >>>>> sIP |sPort| dIP| dPort|
>>>>> >> >>>>> bytes|
>>>>> >> >>>>> 10.10.13.152| 0| 10.10.4.145| 0| 78|
>>>>> >> >>>>> 10.10.13.152| 0| 10.10.4.145| 0| 78|
>>>>> >> >>>>> 10.10.13.152| 0| 10.10.4.145| 0| 78|
>>>>> >> >>>>>
>>>>> >> >>>>>
>>>>> >> >>>>> With command
>>>>> >> >>>>>
>>>>> >> >>>>> rwfilter --sensor=S0 --type=all --pass=stdout
>>>>> --saddress=10.10.13.152
>>>>> >> >>>>> --start-date=2015/09/13:15 --end-date=2015/09/16:15 | rwsort
>>>>> >> >>>>> --fields=bytes | rwcut --fields=sip,sport,dip,dport,bytes
>>>>> >> >>>>>
>>>>> >> >>>>> I'm getting bytes in last column, but as a percentage of
>>>>> >> >>>>> total
>>>>> bytes
>>>>> >> >>>>> from
>>>>> >> >>>>> all records I don't know how to get that.
>>>>> >> >>>>>
>>>>> >> >>>>> thanks.
>>>>> >> >>>>>
>>>>> >> >>>>>
>>>>> >> >>>>>
>>>>> >> >>>>>
>>>>> >> >>>>> On 9/15/15, Evgeniy Sudyr <eject.in.ua at gmail.com> wrote:
>>>>> >> >>>>> > Ai,
>>>>> >> >>>>> >
>>>>> >> >>>>> > are you sure that in your rwfilter results you have more
>>>>> >> >>>>> > than
>>>>> 1%
>>>>> >> of
>>>>> >> >>>>> Bytes?
>>>>> >> >>>>> >
>>>>> >> >>>>> > From rwstats man page:
>>>>> >> >>>>> >
>>>>> >> >>>>> > *--percentage*=*N* Print the bins where the primary value
>>>>> >> >>>>> > is
>>>>> >> >>>>> > greater-than (or less-than) *N* percent of the sum of the
>>>>> primary
>>>>> >> >>>>> > values across all bins.
>>>>> >> >>>>> >
>>>>> >> >>>>> >
>>>>> >> >>>>> > I think it will be useful to see --count --Packets
>>>>> >> >>>>> >
>>>>> >> >>>>> >
>>>>> >> >>>>> > On Tue, Sep 15, 2015 at 5:31 PM, asad <a.alii85 at gmail.com>
>>>>> wrote:
>>>>> >> >>>>> >
>>>>> >> >>>>> >> Hi,
>>>>> >> >>>>> >>
>>>>> >> >>>>> >> I want to know what "alternate options" exists for
>>>>> >> >>>>> >> following:-
>>>>> >> >>>>> >>
>>>>> >> >>>>> >> rwfilter --sensor=Vrouter1 --type=out --sport=3306
>>>>> --pass=stdout
>>>>> >> >>>>> >> --start-date=2012/11/13:00 --end-date=2012/11/13:23
>>>>> >> >>>>> >> --saddress=172.31.253.102 | rwstats --percentage=1 --bytes
>>>>> >> >>>>> >> --fields=dip
>>>>> >> >>>>> >>
>>>>> >> >>>>> >> I don't know why but using --percentage=1 flag, I get zero
>>>>> >> results,
>>>>> >> >>>>> >> even when in records I know this IP is present. Is there
>>>>> >> >>>>> >> any
>>>>> >> reason
>>>>> >> >>>>> >> why would such happpen?
>>>>> >> >>>>> >>
>>>>> >> >>>>> >> Or I can move to another rwstats switch parameters to
>>>>> >> >>>>> >> perform
>>>>> same
>>>>> >> >>>>> >> task as trying to achieve with percentage=1
>>>>> >> >>>>> >>
>>>>> >> >>>>> >> Thanks.
>>>>> >> >>>>> >>
>>>>> >> >>>>> >>
>>>>> >> >>>>> >>
>>>>> >> >>>>> >
>>>>> >> >>>>> >
>>>>> >> >>>>> > --
>>>>> >> >>>>> > --
>>>>> >> >>>>> > With regards,
>>>>> >> >>>>> > Eugene Sudyr
>>>>> >> >>>>> >
>>>>> >> >>>>>
>>>>> >> >>>>>
>>>>> >> >>>>
>>>>> >> >>
>>>>> >>
>>>>>
>>>
>>
>
More information about the netsa-tools-discuss
mailing list