Flows for IP

Get top 100 flows (sessions) for an IP or host name

Code

Copy this code as flows_for_ip.rb


# Trisul Remote Protocol TRP Demo script
#
#
# Get top 100  flows in past 6 hours for a host
#
require 'rubygems' if RUBY_VERSION < '1.9'
require 'trisulrp'

include TrisulRP::Protocol
include TrisulRP::Guids

def usage()
 "\nUsage   : ruby #{$0} <zmq_endpoint> <ipaddress>" +
 "\nExample : ruby #{$0} ipc:///usr/local/var/lib/trisul-hub/domain0/hub0/context0/run/trp_0 192.168.1.8" 
end

raise usage if ARGV.length !=2


#zmq_endpint
conn = ARGV.shift


# user wants to see flows for this  hostname
#
target_ip   =   ARGV.shift
target_keyt =   TRP::KeyT.new({:label=>target_ip})


# get available time window , tmarr contains [from_time, to_time]
tmarr  = TrisulRP::Protocol.get_available_time(conn)

# set the time window to be latest 6 hours
tmarr[0] = tmarr[1] - 6*3600


# send request for sessions for key
req = TrisulRP::Protocol.mk_request(TRP::Message::Command::QUERY_SESSIONS_REQUEST,
            :any_ip => target_keyt ,
            :time_interval => mk_time_interval(tmarr))


# get response and print session details
TrisulRP::Protocol.get_response_zmq(conn,req) do |resp|
  resp.sessions.each do |sess|
    print "#{sess.session_id} ".ljust(12)
    print "#{Time.at(sess.time_interval.from.tv_sec)} ".ljust(26)
    print "#{sess.time_interval.to.tv_sec-sess.time_interval.from.tv_sec} ".rjust(8)
    print "#{sess.key1A.label}".ljust(28)
    print "#{sess.key2A.label}".ljust(11)
    print "#{sess.key1Z.label}".ljust(28)
    print "#{sess.key2Z.label}".ljust(11)
    print "#{sess.az_bytes}".rjust(10)
    print "#{sess.za_bytes}".rjust(10)
    print "#{sess.az_payload}".rjust(10)
    print "#{sess.za_payload}".rjust(10)
    print "#{sess.setup_rtt}".rjust(10)
    print "#{sess.retransmissions}".rjust(10)
    print "#{sess.tags}".rjust(10)
    print "\n"
  end


end

Usage


ruby flows_for_ip.rb ipc:///usr/local/var/lib/trisul-hub/domain0/hub0/context0/run/trp_0 192.168.1.8

Sample output



[vivek@localhost t3]$ ruby flows_for_ip.rb ipc:///usr/local/var/lib/trisul-hub/domain0/hub0/context0/run/trp_0 192.168.1.8

1.0.6090    2016-09-13 14:57:50 +0530       0 192.168.1.8                 40611      ocsp.verisign.com           http              914      2210       462      1828     15607         0          
1.0.6089    2016-09-13 14:57:51 +0530       2 192.168.1.8                 54275      si0.twimg.com               https             726      3699       328      3417     29674         0        US
1.0.6088    2016-09-13 14:57:51 +0530       3 192.168.1.8                 54277      si0.twimg.com               https            1148      3991       642      3655     74132         0          
1.0.6087    2016-09-13 14:57:50 +0530       5 192.168.1.8                 45574      mirrors.fedoraproject.org   https            2348     17111      1044     15783      3049         0        US