1RACLUSTER(1) General Commands Manual RACLUSTER(1)
2
6 racluster - aggregate argus(8) data files.
7
9 racluster [-f conf] [-m agr(s)] [-M mode(s)] [raoptions] [-- filter-
10 expression]
11
13 Racluster reads argus data from an argus-data source, and clus‐
14 ters/merges the records based on the flow key criteria specified either
15 on the command line, or in a racluster configuration file, and outputs
16 a valid argus-stream. This tool is primarily used for data mining,
17 data management and report generation.
18 The default action is to merge status records from the same flow and
20 argus probe, providing in some cases huge data reduction with limited
21 loss of flow information. Racluster provides the ability to modify the
22 flow model key, either using the "-m" option, or in the racluster.conf
23 file, allowing records to be clustered based on any number of
24 attributes. This supports the development of important reports, such
25 as MPLS LSP usage statistics, DiffServe flow marking policy verifica‐
26 tion, VLAN group behavior, IP distance related measurements, routing
27 loop detection, traceroute path data recovery, and complex availabil‐
28 ity/reachability reports, to name just a few useful applications.
29 Please see racluster.5 for detailed information regarding racluster
31 configuration.
32
35 Racluster, like all ra based clients, supports a number of ra options
36 including filtering of input argus records through a terminating filter
37 expression, and the ability to specify the output style, format and
38 contents for printing data. See ra(1) for a complete description of ra
39 options. racluster(1) specific options are:
40 -m aggregation object
42 Supported aggregation objects are:
43 none use a null flow key.
44 srcid argus source identifier.
45 smac source mac(ether) addr.
46 dmac destination mac(ether) addr.
47 soui oui portion of the source mac(ether) addr.
48 doui oui portion of the destination mac(ether) addr.
49 smpls source mpls label.
50 dmpls destination label addr.
51 svlan source vlan label.
52 dvlan destination vlan addr.
53 saddr/[l|m] source IP addr/[cidr len | m.a.s.k].
54 daddr/[l|m] destination IP addr/[cidr len | m.a.s.k].
55 matrix/l sorted src and dst IP addr/cidr len.
56 proto transaction protocol.
57 sport source port number. Implies use of 'proto'.
58 dport destination port number. Implies use of 'proto'.
59 stos source TOS byte value.
60 dtos destination TOS byte value.
61 sttl src -> dst TTL value.
62 dttl dst -> src TTL value.
63 stcpb src -> dst TCP base sequence number.
64 dtcpb dst -> src TCP base sequence number.
65 inode[/l|m]] intermediate node IP addr/[cidr len | m.a.s.k],
66 source of ICMP mapped events.
67 sco source ARIN country code, if present.
68 dco destination ARIN country code, if present.
69 sas source node origin AS number, if available.
70 das destination node origin AS number, if available.
71 ias intermediate node origin AS number, if available.
72 -M modes
74 Supported modes are:
75 correct Attempt to correct the direction of
76 flows by also searching the reverse
77 flow key, if a match isn't found in
78 the cache. This mode is on by
79 default when using the default full
80 5-tuple flow key definitions.
81 nocorrect Turn off flow correction for direc‐
82 tion. This mode is used by default
83 if the flow key has been changed.
84 norep Do not generate an aggregate
85 statistic for each flow. This is
86 used primarily when the output rep‐
87 resents a single object. Primarily
88 used when merging status records to
89 generate single flows that repre‐
90 sent single transactions.
91 rmon Generate data suitable for produc‐
92 ing RMON types of metrics.
93 ind Process each input file indepen‐
94 dantly, so that after the end of
95 each inputfile, racluster flushes
96 its output.
97 replace Replace each inputfile contents,
98 with the aggregated output. The
99 initial file compression status is
100 maintained
101 -V Verbose operation, printing a line of output for each
103 input file processed. Very useful when using the
104 ra() -R option.
105
108 A sample invocation of racluster(1). This call reads
109 argus(8) data from inputfile and aggregates the TCP pro‐
110 tocol based argus(8) data. By default, racluster(1)
111 merges using the standard 5-tuple flow key. This method
112 is used to merge multiple status records into a single
113 flow record per transaction.
114 % ra -r argus.tcp.2012.02.13.12.20.00
116 StartTime Dur Trans Flgs Proto SrcAddr Sport Dir DstAddr Dport TotPkts State
117 12:23:07.268 0.997 1 e i tcp 192.168.0.68.59016 -> 208.59.201.75.http 298 CON
118 12:23:08.294 1.000 1 e tcp 192.168.0.68.59016 -> 208.59.201.75.http 111 CON
119 12:23:09.294 0.991 1 e d tcp 192.168.0.68.59016 -> 208.59.201.75.http 637 CON
120 12:23:10.331 0.330 1 e tcp 192.168.0.68.59016 -> 208.59.201.75.http 89 CON
121 12:23:32.183 0.010 1 e tcp 192.168.0.68.59016 -> 208.59.201.75.http 3 FIN
122 % racluster -r argus.tcp.2012.02.13.12.20.00
124 StartTime Dur Trans Flgs Proto SrcAddr Sport Dir DstAddr Dport TotPkts State
125 12:23:07.268 24.925 5 e d tcp 192.168.0.68.59016 -> 208.59.201.75.http 1138 FIN
126 A sample invocation of racluster(1). This call reads
128 argus(8) data from inputfile and aggregates the TCP pro‐
129 tocol based argus(8) data, based on the source and desti‐
130 nation address matrix and the protocol. It reports the
131 metrics as a percent of the total.
132 % racluster -r argus.2012.02.13.17.20.00 -m saddr/16 daddr proto -% \
135 -s stime dur trans proto saddr dir daddr pkts state - tcp and port https
136 StartTime Dur pTrans Proto SrcAddr Dir DstAddr pTotPkts State
138 17:49:54.225 8.101 33.333 tcp 192.168.0.0/16 -> 17.154.66.18 23.372 FIN
139 17:48:42.607 179.761 13.333 tcp 192.168.0.0/16 -> 17.172.224.25 31.052 FIN
140 17:50:01.113 0.803 6.667 tcp 192.168.0.0/16 -> 17.250.248.161 5.676 FIN
141 17:49:54.525 1.153 6.667 tcp 192.168.0.0/16 -> 64.12.173.137 5.509 FIN
142 17:50:35.411 101.133 26.667 tcp 192.168.0.0/16 -> 184.28.150.87 19.199 RST
143 17:49:56.061 73.415 6.667 tcp 192.168.0.0/16 -> 205.188.8.47 11.018 RST
144 17:49:55.677 0.434 6.667 tcp 192.168.0.0/16 -> 205.188.101.10 4.174 FIN
145
148 Copyright (c) 2000-2016 QoSient. All rights reserved.
149
151 racluster(5), ra(1), rarc(5), argus(8),
152
155 Carter Bullard (carter@qosient.com).
156
158racluster 3.0.8 07 October 2003 RACLUSTER(1)