This web page a "teaser" demonstrating the upcoming FlowScan support of Argus.
The graphs and reports below are my first attempt at using FlowScan with Argus. About 48 hours of IP traffing between a single host and the rest of the world is represented here. The arrow of time points to the right.
Here's some notes on what is shown:
- The daily profile of IP traffic involving this host was unknown until these graphs were produced. After some consideration of the graphs, it appears that they show the "normal" behavior for this host.
- The two large spikes in the "bits/sec" graphs are nightly backups using an application whose TCP port numbers are "unidentified" by FlowScan. .
- This host is involved in lots of ICMP exchanges. It continually performs reachability tests (perhaps at about 20 per second), and also does periodic ping sweeps of two full class B networks. These sweeps, scheduled to run at four hour intervals, are responsible for the steps and plateaus of ICMP traffic in the "flows/sec" and "pkts/sec" graphs.
- A large number of SNMP and ping requests are originated from this host and are responsible for its UDP and ICMP traffic levels rivaling its TCP traffic in the "pkts/secs" graph.
- The unidentified TCP traffic responsible for the hourly spikes in the "pkts/sec" is MySQL traffic on an unreserved TCP port. Because it is an "unidentified" TCP port number to FlowScan, it shows as being transparent in the "Well Known Services" graphs. (Note that FlowScan can be configured (and was) to track that TCP port. The final graph is a custom graph created with RRGrapher which shows that traffic.)