Home > Uncategorized > How I use argus to learn about outlying bandwidth consumers

How I use argus to learn about outlying bandwidth consumers

flow-inspector and ntopng are very useful for this sort of thing, as it generally takes care of visualizing all the traffic stats; but you can utilize ragraph all the same as follows. As I’ve yet to implement ntopng, specifically the historic feature, I’m relying on flow-inspector.

Graph of bytes per second (like load, bps) downloads initiated internally:

ra -r * -w - -t 10:50:00-11:00:00 - src net 192.168.100.0/24 | ragraph saddr dbytes -M 1s -r -

this should indicate the most downloading-ist client:

Then you can drill further into this client

ra -r * -w - -t 10:50:00-11:00:00 - src host 192.168.100.46 | ragraph dbytes daddr -title 'dbytes per second requested by 192.168.100.46' -M 1s -r -

then you can actually see what’s going on with…
this will give you the resulting load by destination address

ra -r * -w - -t 10:50:00-11:00:00 - src host 192.168.100.46 | racluster -M daddr -r - -w - | rasort -M byte load -s saddr daddr load:15 -r - | less

and also… this will give you load of all transactions between a src host and a dst host, per second:

ra -r * -w - -t 10:50:00-11:00:00 - src host 192.168.100.46 and dst host 128.122.215.45 | rabins -M 1s -s stime ltime saddr daddr load:15 -r - | less

which can also be expressed…

ra -r * -w - -t 10:50:00-11:00:00 - src host 192.168.100.46 and dst host 128.122.215.45 | ragraph dbytes -title 'dbytes initiated by 192.168.100.46 downloaded from 128.122.215.45' -M 1s -r -
Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: