Adeptus-Mechanicus

Main
Codex
Librarium Whitehat
Advisories
Blog Pics
"Inveniam viam aut faciam" : I will either find a way, or I shall make one


TRAFFIC MONITORING - ARGUS

One of the first rules of looking after any network is knowing what is happening on that network, becuase only then can see what should not be there. The first step on this road is to know what is leaving or entering your network and, of course, the best place to start looking is your firewall. now me being the cheapskate I am, I like to use free software. I have already spoken about using rrdtool for graphing (see here), but how do we get the details about our traffic to make the graphs? Enter argus (homepage here), an exceptionally useful tool, which is capable of very much more then protocol counts, but we will use it for that here.

What is needed?
A linux box (of course), rrdtool running somewhere and argus - both the server and the client. For ease of use, we will set both of those up on the same server. Lets first get and install the argus server..
wget ftp://qosient.com/dev/argus-3.0/argus-3.0.0.tar.gz
tar -xzvf argus-3.0.0.tar.gz
-cd into argus directory-
configure ; make ; make install

now we need to do some basic setup to get argus running..
cd support/
cd Config/
mkdir /etc/argus
cp ./argus.conf /etc/argus
chmod 600 /etc/argus/argus.conf
cd ..
cd Startup/
cp ./argus /etc/init.d
chmod 755 /etc/init.d/argus
chkconfig --add argus

lets get a little more detailed, we go into the argus configuration file, now make sure the following fields match your setup and needs..
cd /etc/argus
mkdir /var/log/argus
vi ./argus.conf

ARGUS_MONITOR_ID
ARGUS_INTERFACE
ARGUS_OUTPUT_FILE
ARGUS_GENERATE_RESPONSE_TIME_DATA
ARGUS_GENERATE_MAC_DATA

Almost done. Lets make sure that argus starts up ok..
cd /etc/init.d
vi ./argus

-make sure the setup reflects where you have the configuration file-

Finally, start the argus server..
/etc/init.d/argus start

Now if all has gone well, you will have your argus server busy collecting information about the traffic flowing in/out/through your system. But we still need to get that data into a meaningful format so we can graph it. For that we will need the argus client package. So lets get and install that..
wget ftp://qosient.com/dev/argus-3.0/argus-clients-3.0.0.tar.gz
tar -xzvf argus-clients-3.0.0.tar.gz
cd argus-clients-3.0.0
configure ; make ; make install

Now you have all the client tools (racluster , ra , etc). So lets take a look at using these tools. Lets first find out what type of packets are being seen..
/usr/local/bin/racluster -r /var/log/argus/argus.out -m proto -t `date +%T --date '5 minutes ago'`-`date +%T` -s proto pkts bytes load rate loss

This will tell us the breakdown between tcp/udp/icmp/etc for the last 5 minutes. Nice but nowhere near a protocol based breakdown. To get that into a nice format we can use for our graphs, we will need a bit of scripting and as always I take no responsibilty if you use my script, I make no claim that it is pretty, optimized, or a work of art. But it works for me and make any changes you want. I put this in a scipt called port_cnt.sh..
##SETUP VARIABLES
MIN=5
RAC=/usr/local/bin/racluster
RAS=/usr/local/bin/rasort
LOG=/var/log/argus/argus.out
TMP1=/tmp/argus.port.in
TMP2=/tmp/argus.oth.in
DT1=`date +%H:%M`
DT2=`date +%H:%M -d '-5 min'`

##GET STATS INTO A TEMP FILE
$RAC -m proto dport -n -r $LOG -s saddr daddr sport dport bytes -t $DT2-$DT1 -w - | $RAS -n -m bytes -s dport bytes > $TMP1

##A FOR LOOP THROUGH ALL THE PORTS WE ARE INTERESTED IN WHICH DISPLAYS <PORT> <BYTES>
for x in 21 22 25 53 80 110 143 443 444 445 1194 1433 1863 3306 5432
 do
  RSLT=`cat $TMP1 | grep -w $x 1> /dev/null ; echo $?`
  echo $x >> $TMP2
  if [ $RSLT == 1 ]
   then
    echo "$x      0" | gawk '{ print $1, $2 }'
   else
    cat $TMP1 | grep -w $x | gawk '{ print $1, $2 }'
  fi
 done

##NOW WE COUNT EVERYTHING ELSE
SUM=0
for y in `cat $TMP1 | grep -v -f $TMP2 | gawk '{ print $2 }'`
 do
  SUM=`expr $SUM \+ $y`
 done
echo "other $SUM"

#CLEANUP
rm -rf $TMP1
rm -rf $TMP2

That will give you a list of ports with the amount of bytes seen for that port in the last 5 minutes, which makes it easy to dump into rrdtool.

Last Words
This is a good example of how a couple of open source tools can really complement each other, gotta love it. Also please remember, argus is capable of a lot more then this and can used to gather all sorts of funky netflow data. So play around a bit more with it. As always have fun and learn.