1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
|
.\"
.\" Argus-5.0 Software
.\" Copyright (c) 2000-2024 QoSient, LLC
.\" All rights reserved.
.\"
.\"
.de TQ
. br
. ns
. TP \\$1
..
.TH RATOP 1 "12 July 2023" "ratop 5.0.3"
.SH NAME
\fBratop\fP \- display and update sorted network flow data
.SH SYNOPSIS
\fBratop [\fBraoptions\fP] [\fB--\fP \fIfilter-expression\fP]
.SH DESCRIPTION
.IX "ratop command" "" "\fLra\fP \(em argus data"
.LP
.B Ratop
reads
.BR argus(8)
data from an \fIargus-file\fP, or from a remote data source, and
periodically displays a sorted list of network flow records. When
read from a file, \fBratop\fP displays the resulting flow caches
when the file is completed, updating its status display line with
each input. When reading from a live argus data stream, \fBratop\fP
will display data, asynchronously in realtime, as it is received
from the source.
Flow data is aggregated as its read, (see \fBracluster.1\fP), resulting
in a single line for each network transaction encountered in the
data stream. The default sorting key is total packets per flow,
but other keys can be used instead. Flow records that have been
idle for more than the default 60s are removed.
Various output options, such as the specific columns of data to display,
the entry idle timeout value, the screen refresh rate, etc ... are
all configurable.
\fBratop\fP uses \fBncurses\fP and \fBreadline.3\fP, when available, to provide
an \fBemacs.1\fP or \fBvi.1\fP look and feel for displaying, navigating and
modifying network flow data. Configure these features using \fBreadline's\fP
configuruation strategy. See 'man readline'.
While running \fBratop\fP a lot of help can be obtained from the on-line
help system, using the ":h" command.
.SH OPTIONS
Command line option specifications are processed from left to right.
Options can be specified more than once.
If conflicting options are specified, later specifications override earlier
ones.
This makes it viable to create a shell alias for
.B ratop
with preferred defaults specified, then override those preferred defaults as
desired on the command line.
\fBratop\fP, like all ra based clients, supports a number of \fBra options\fP
including filtering of input argus records through a terminating filter
expression, and the ability to specify the output style, format and contents
for printing data. See \fBra(1)\fP for a complete description of \fBra options\fP.
\fBratop(1)\fP specific options are:
.PP
.PD 0
.TP 4 4
.BI \-m "\| aggregation object\^"
Supported aggregation objects are:
.PP
.RS
.TP 15
.B none
use a null flow key.
.TP
.B srcid
argus source identifier.
.TP
.B smac
source mac(ether) addr.
.TP
.B dmac
destination mac(ether) addr.
.TP
.B soui
oui portion of the source mac(ether) addr.
.TP
.B doui
oui portion of the destination mac(ether) addr.
.TP
.B smpls
source mpls label.
.TP
.B dmpls
destination label addr.
.TP
.B svlan
source vlan label.
.TP
.B dvlan
destination vlan addr.
.TP
.B saddr/[l|m]
source IP addr/[cidr len | m.a.s.k].
.TP
.B daddr/[l|m]
destination IP addr/[cidr len | m.a.s.k].
.TP
.B matrix/l
sorted src and dst IP addr/cidr len.
.TP
.B proto
transaction protocol.
.TP
.B sport
source port number. Implies use of 'proto'.
.TP
.B dport
destination port number. Implies use of 'proto'.
.TP
.B stos
source TOS byte value.
.TP
.B dtos
destination TOS byte value.
.TP
.B sttl
src -> dst TTL value.
.TP
.B dttl
dst -> src TTL value.
.TP
.B stcpb
src -> dst TCP base sequence number.
.TP
.B dtcpb
dst -> src TCP base sequence number.
.TP
.B inode[/l|m]]
intermediate node IP addr/[cidr len | m.a.s.k], source of ICMP mapped events.
.TP
.B sco
source ARIN country code, if present.
.TP
.B dco
destination ARIN country code, if present.
.TP
.B sas
source node origin AS number, if available.
.TP
.B das
destination node origin AS number, if available.
.TP
.B ias
intermediate node origin AS number, if available.
.TP
.RE
.TP 4 4
.BI \-M "\| modes\^"
Supported modes are:
.PP
.RS
.TP 15
.B correct
Attempt to correct the direction of flows by also searching the reverse
flow key, if a match isn't found in the cache. This mode is on by default
when using the default full 5-tuple flow key definitions.
.TP
.B nocorrect
Turn off flow correction for direction. This mode is used by default
if the flow key has been changed.
.TP
.B preserve
Preserve fields when aggregating matching flow data.
.TP
.B nopreserve
Do not preserve fields when aggregating matching flow data.
.TP
.B norep
Do not generate an aggregate statistic for each flow. This is used
primarily when the output represents a single object. Primarily used
when merging status records to generate single flows that represent
single transactions.
.TP
.B rmon
Generate data suitable for producing RMON types of metrics.
.TP
.B nocurses
Do not use the curses interface to present data. This option is
primarily used when debugging ratop, to get around the issues
of screen maniuplation within a debugger like gdb or lldb.
.PD
.RE
.SH DISPLAY
The first several lines of the
.B ratop
display show global state. The top line shows how ratop is running,
with the list of command line options that are in effect. In the upper
most right corner is the current time. The next line is the column title
line, that labels each column. The bottom line is the command line,
where you will see and prepare ':' commands. The line above the bottom
line is the status line, showing the number of flows that are in the
\fBratop\fP process queue, display queue, the total number of flows read,
the rate of flow records read, and the current status, whether it is Active,
reading records, or Idle, when all input is complete. This line can be
toggled on or off using ^G.
Flows caches are displayed one per row and are sorted by total pkts,
by default. \fBratop\fP sorting can be configured using the \fIrarc\fP
variable RA_SORT_ALGORITHMS, or by using the ":P" command.
\fBratop\fP supports 3 basic filters. Like all other ra* programs, \fBratop\fP
will send its command line filter to its remote argus data sources, to limit the
load on the wire. This is the "remote" filter. Also, \fBratop\fP supports
a "local" filter, that is applied to flow record input. Normally this is used
when the remote argus data source doesn't support the syntax of the specific
filter. \fBratop\fP also support a "display" filter, that is used to select
which flow records are to be displayed. This filter does not have any
impact on the internal flow caches that \fBratop\fP is tracking, so you
can change the "display" filter at any time and see the current state of
other flows.
.SH COLOR
\fBratop\fP supports color which is configured using the rarc file.
The RA_COLOR_CONFIG file is a fall through specification of flow
filters and field color definitions. For flows that match a filter,
specific fields in the row will be painted the configured color.
Because the filter specification supports the " cont " directive,
a single row can be painted by any number of color definitions.
When color is enabled \fBratop\fP will attempt to color IP addresses
to indicate that local host address, and the local network. This is
very helpful in mobile host installations, where you may not know
what IP address has been assigned the localhost. \fBratop\fP also supports
coloring local addresses based on the RA_LOCAL rarc variable.
See racolor.conf.5.
.SH ARGUS EVENTS
Introduced in argus-3.0.8, \fBratop\fP supports correlating specific
ARGUS_EVENT data with flow data, which can be turned on through the use
of the RA_CORRELATE_EVENTS rarc variable. \fBratop\fP will process
argus-lsof event data generated by host bourne argi, and label flow
data with user, pid and process name metadata. While experimental,
it is production level functionality, and can be used with other ra*
programs to enhance flow data with host os process information.
See argus-3.0.8 documentation on ARGUS_EVENTS.
.SH EXAMPLES
.TP
ratop -r argus.file -s rank stime dur:14 saddr daddr proto pkts bytes
Read the file argus.file, and display the resulting aggregated and sorted
list of flow records, using the default sorting methods.
.TP
ratop -S localhost
Run ratop as a live display of realtime flow traffic.
.ss 12
.cs B
.ft
.fi
.br
.SH COPYRIGHT
Copyright (c) 2000-2024 QoSient. All rights reserved.
.SH AUTHORS
.nf
Carter Bullard (carter@qosient.com).
.fi
.SH SEE ALSO
rarc(5)
racluster(1)
racluster.conf(5)
readline(3)
|
