Rabins Examples
The argus-clients package provides a set of core client programs that provide the basic functions needed to use argus flow data. This includes printing, processing, sorting, aggregating, tallying, collecting, distributing, archiving, and anonymizing data. Here we provide basic examples of how to use the utility rabins. For these examples, we use standard sets of argus data.
Rabins structures argus data streams to conform to various "bins". Known as a stream block processor, rabins, takes in an argus data stream, and outputs aggregated argus data that conforms to time, size or count based blocks of data. This process is critical to doing any type of time-series processing and analysis, such as graphing.
In this first rather complex example, rabins is reading the standard input file, structuring the data into 10 minute time "bins", and aggregating any data that falls into a particular bin, by modifying the aggregation key to ignore the source port of the transactions. We use this type of example to show the aggregation is being performed within only the scope of a single bin.
rabins -r argus.simple.data.out -M time 10m hard -m saddr daddr dport -s +1dur +2trans -p2
StartTime Dur Trans Proto SrcAddr Dir DstAddr Dport TotPkts TotBytes State
17:40:00.00 600.00 9 tcp 192.168.0.68 -> 128.2.129.188.http 61 35655 FIN
17:40:00.00 600.00 3 tcp 192.168.0.68 -> 216.92.14.146.http 24 15168 FIN
17:40:00.00 600.00 2 udp 192.168.0.68 <-> 192.168.0.66.domain 4 439 CON
17:40:00.00 600.00 1 arp 192.168.0.68 who 192.168.0.1 2 106 CON
17:40:00.00 600.00 1 arp 192.168.0.66 who 192.168.0.1 1 64 INT
17:40:00.00 600.00 1 arp 192.168.0.68 who 192.168.0.66 1 42 INT
17:50:00.00 600.00 2 arp 192.168.0.68 who 192.168.0.66 5 276 CON
17:50:00.00 600.00 3 arp 192.168.0.66 who 192.168.0.1 3 192 INT
Using the "hard" option, rabins sets the start and end times of the resulting argus records, to conform to the bin start and stop times. This is critical when the analytics are designed to generate averages that cover the complete time range. However, if you are interested in metrics, such as "instantaneous peak burst rate" or "peak load" within a bin, you will use the soft option as below.
rabins -r argus.simple.data.out -M time 10m soft -m saddr daddr dport -s +1dur +2trans -p2
StartTime Dur Trans Proto SrcAddr Dir DstAddr Dport TotPkts TotBytes State
17:48:36.59 27.20 9 tcp 192.168.0.68 -> 128.2.129.188.http 61 35655 FIN
17:48:36.63 27.16 3 tcp 192.168.0.68 -> 216.92.14.146.http 24 15168 FIN
17:48:36.58 0.00 2 udp 192.168.0.68 <-> 192.168.0.66.domain 4 439 CON
17:48:36.59 0.00 1 arp 192.168.0.68 who 192.168.0.1 2 106 CON
17:48:36.59 0.00 1 arp 192.168.0.66 who 192.168.0.1 1 64 INT
7:48:36.58 0.00 1 arp 192.168.0.68 who 192.168.0.66 1 42 INT
17:50:00.00 130.14 2 arp 192.168.0.68 who 192.168.0.66 5 276 CON
17:50:00.00 130.14 3 arp 192.168.0.66 who 192.168.0.1 3 192 INT
This generates flows within bins that have their natural start times and durations. Notice that the output is sorted by the number of packets, within each bin. The sorting algorithm can be changed in the .rarc file.