NAME¶

rahisto - print histogram of metrics from argus(8) data.

SYNOPSIS¶

rahisto [-M histomode] -H bin[L]:range|size ... [raoptions] [-- filter-expression]

DESCRIPTION¶

Rahisto reads argus data from an argus-data source, sorts the records based on the criteria specified on the command line, and outputs a valid argus-stream.

OPTIONS¶

Rahisto, like all ra based clients, supports a number of ra options including filtering of input argus records through a terminating filter expression. See ra(1) for a complete description of ra options. rahisto(1) specific options are:

-M nozero: Don't print bins that have zero frequencies.
-M outlayer: Print accumulated stats for outlayer values, i.e. the values that are outside the histogram range.
-M perflow: Generate multiple histograms. One histogram for each -H option will be generated each flow discovered. The flow model is specified with the -m option. See the racluster(1) man page for aggregatable objects. Note that no aggregation takes place as a result of the -m option; this is used only to classify flow records.
-m aggregation object: Supported aggregation objects are listed in the racluster(1) man page.
-H [abs] metric bin[L]:range | size: Specify histogram options, metric, number of bins, whether to use logorithmic scales, and either a range specification to indicate start and stop times, or just the size of each bin. The optional 'abs' indicates that rahisto should use absolute values for the metric. More than one -H option can be supplied. One histogram per metric will be calculated for the same input data.
Rahisto supports 112 argus metrics, which include most of the metrics: that can be printed. See ra.1 for metric fields that are supported by the ra* programs. The common metrics include:

dur: record total duration.
avgdur: record average duration.
proto: transaction protocol.
sport: source port number.
dport: destination port number.
stos: source TOS byte value.
dtos: destination TOS byte value.
sttl: src -> dst TTL value.
dttl: dst -> src TTL value.
[s|d]bytes: [src | dst] transaction bytes.
[s|d]appbytes: [src | dst] application bytes.
[s|d]pkts: [src | dst] packet count.
[s|d]meansz: [src | dst] mean packet size.
[s|d]load: packets per second.
[s|d]loss: pkts retransmitted or dropped.
[s|d]ploss: percent pkts retransmitted or dropped.
[s|d]rate: bits per second.

INVOCATION¶

A sample invocation of rahisto(1). This call reads argus(8) data from inputfile and generates a frequency distribution histogram for the transaction duration for HTTP traffic.

% rahisto -H dur 10 -r ~/argus/data/argus*out.gz - port http


 N = 194     mean = 15.928685  stddev = 23.728876  max = 81.354462  min = 0.008055


           median =  0.079948     95% = 59.208977


 Class     Interval         Freq    Rel.Freq     Cum.Freq    


     1   0.000000e+00        123    63.4021%     63.4021%    


     2   8.200000e+00          7     3.6082%     67.0103%    


     3   1.640000e+01         13     6.7010%     73.7113%    


     4   2.460000e+01          9     4.6392%     78.3505%    


     5   3.280000e+01          0     0.0000%     78.3505%    


     6   4.100000e+01          0     0.0000%     78.3505%    


     7   4.920000e+01          6     3.0928%     81.4433%    


     8   5.740000e+01         35    18.0412%     99.4845%    


     9   6.560000e+01          0     0.0000%     99.4845%    


    10   7.380000e+01          1     0.5155%    100.0000%

A sample invocation where the call reads argus(8) data from inputfile and generates a frequency distribution histogram for the round-trip time of arp volleys in argus(8) data.

% rahisto -H dur 10:0-75u  -R /Vol*/Data/Archive/split/*68/2012/0[23] - arp and dur gt 0


 N = 360     mean = 0.000028  stddev = 0.000007  max = 0.000066  min = 0.000014


           median = 0.000031     95% = 0.000028


             mode = 0.000026


 Class     Interval         Freq    Rel.Freq     Cum.Freq    


     1   0.000000e+00          0     0.0000%      0.0000%    


     2   7.500000e-06          2     0.5556%      0.5556%    


     3   1.500000e-05         63    17.5000%     18.0556%    


     4   2.250000e-05        188    52.2222%     70.2778%    


     5   3.000000e-05         71    19.7222%     90.0000%    


     6   3.750000e-05         23     6.3889%     96.3889%    


     7   4.500000e-05         10     2.7778%     99.1667%    


     8   5.250000e-05          2     0.5556%     99.7222%    


     9   6.000000e-05          1     0.2778%    100.0000%    


    10   6.750000e-05          0     0.0000%    100.0000%

COPYRIGHT¶

AUTHORS¶

Carter Bullard (carter@qosient.com).

BUGS¶

19 September 2023

rahisto 5.0.3

Source file:	rahisto.1.en.gz (from argus-client 1:5.0.2+git20250321.41f65e2-2)
Source last updated:	2025-04-23T19:54:12Z
Converted to HTML:	2025-08-16T15:29:30Z