racluster(1) aggregate argus(8) data files.

SYNOPSIS

racluster [-f conf] [-m agr(s)] [-M mode(s)] [raoptions]

OPTIONS

Racluster, like all ra based clients, supports a number of ra options including filtering of input argus records through a terminating filter expression, and the ability to specify the output style, format and contents for printing data. See ra(1) for a complete description of ra options. racluster(1) specific options are:

-m aggregation object
Supported aggregation objects are:

none
use a null flow key.
srcid
argus source identifier.
smac
source mac(ether) addr.
dmac
destination mac(ether) addr.
smpls
source mpls label.
dmpls
destination label addr.
svlan
source vlan label.
dvlan
destination vlan addr.
saddr/[l|m]
source IP addr/[cidr len | m.a.s.k].
daddr/[l|m]
destination IP addr/[cidr len | m.a.s.k].
matrix/l
sorted src and dst IP addr/cidr len.
proto
transaction protocol.
sport
source port number.
dport
destination port number.
stos
source TOS byte value.
dtos
destination TOS byte value.
sttl
src -> dst TTL value.
dttl
dst -> src TTL value.
stcpb
src -> dst TCP base sequence number.
dtcpb
dst -> src TCP base sequence number.
inode
intermediate node, source of ICMP mapped events.
-M modes
Supported modes are:

norep
Do not generate an aggregate statistic for each flow. This is used primarily when the output represents a single object. Primarily used when merging status records to generate single flows that represent single transactions.
rmon
Generate data suitable for producing RMON types of metrics.
ind
Process each input file independantly, so that after the end of each inputfile, racluster flushes its output.
replace
Replace each inputfile contents, with the aggregated output.
-V
Verbose operation, printing a line of output for each input file processed. Very useful when using the ra() -R option.

INVOCATION

A sample invocation of racluster(1). This call reads argus(8) data from inputfile and aggregates the IP protocol based argus(8) data, based on the source and destination address matrix and the destination port used by tcp flows, and report the metrics as a percent of the total. For most services, this provides service specific metrics on a client/server basis.
racluster -% -r inputfile -m saddr daddr dport - \ tcp and syn and synack This call reads argus(8) data from inputfile and generates the path information that traceroute use would generate (assuming that traceroute was run during the observation period).
racluster -r inputfile -m saddr daddr sttl inode -w - - icmpmap | \ rasort -m sttl -s saddr dir daddr inode avgdur spkts

COPYRIGHT

Copyright (c) 2000-2008 QoSient. All rights reserved.

FILES

AUTHORS

Carter Bullard ([email protected]).

BUGS