Using Argus

Getting Argus

Argus Wiki







Ratop Real Time Country Code Based Usage Example

This video is a simple implementation of a country code based usage application using ratop().

We will connect to a data source that is adding country codes to flow records. Radium is doing that on this machine on port 562, so we'll use " -S localhost:562 " to get our data. Because we are interested in a single country code, we'll need to use the RMON mode of operation, where we convert flow based data into RMON oriented data. This is essentially where we convert bi-directional flow data for two network entities, into In and Out data for a single network entity, in this case a country. This is done with the "-M rmon" option.

ratop() is a generic aggregator, and can aggregate based on country code. In this case we'll use the "-m sco" option. The only thing left is to print out fields of interest. For this example we'll print out " -s stime dur:15 trans sco spkts dpkts sbytes dbytes ".

And finally, because country codes are applied to IPv4 addresses, we can use a filter to process only relevant data " - ipv4 ".

Once we've gotten ratop() going, we add the "suser:48" field using the ":F" command, in ratop. This allows us to see the contents of some of the transactions coming from, or going to, a particular country. For most applications, this is enough to identify what type of transaction is going on, or not going on. With this in place, we want to keep the report entries up for an entire day, so we need to set the "idle flow timeout" to be 86400 seconds, using the ":T" ratop command. This timer is used to remove entries from the display

In the video we'll wait until we run some scripts to access a number of foriegn IP addresses. Notice that a lot of DNS traffic is going to servers that are not in my host country, which is the US. This is curious and very common.