cbullard at nortelnetworks.com
Wed Aug 4 09:59:52 EDT 1999
Two things. First, as you notice the number of packets
received by Argus and the number racount packet counts
indicates that Argus is not reporting a few packets.
These are mostly ICMP packets that are in the "missing"
category. I'm working on this one.
Second, Argus is not trying to report accurate
total datagram bytes. We report on payload bytes for
TCP, UDP and generic IP flows, so no ethernet header
bytes, or IP header bytes in these reports, and we do
not report any packet bytes for ICMP flows, as we are
overloading the data fields trying to get the source and
ICMP indications in the limited size we have for Argus
So, if Cisco routers are reporting total bytes on the link,
then we've got 14 bytes of ethernet header, 20 bytes of IP header
and TCP (20), UDP (8) and generic IP flows (0), gives us
an average overhead correction between 32-54 bytes/packet.
The minimum ICMP packet payload is 28 bytes, so depending on
the traffic mix, your missing 2.5 gig is not bad.
A forumla like this gives us (assuming ethernet headers were
included in the Cisco report, and no IP options):
minimum missing bytes = 46734458( total pkts) *
((14 ethernet + 20 IP header) +
(%ICMP*28 + %TCP*20 + %UDP*8 + %IP*0)
with a traffic mix like 5% ICMP, 90% TCP and 5% UDP gives:
minimum missing bytes = 46734458 * ((34) + 19.80)
which is not too bad. I'm sure if we had real percentages then
we would be able to get a better estimate.
Hope this helps,
From: Peter Van Epp [mailto:vanepp at sfu.ca]
Sent: Tuesday, August 03, 1999 4:18 PM
To: Carter Bullard
Subject: Re: Ethernet splitters
That works better and leaves a puzzle. racount thinks it saw some
2.7 gigs of data
% argus_bpf -r tcpdump.log -w - | racount -c -n | more
46734458 packets recv'd by filter
0 packets dropped by kernel
racount: totrcds 1622237 rcds 1622235 pkts 46609022 bytes
when the Cisco thinks it delivered around 5.2 gigs total in bytes for around
the same number of packets. It is possible that the Cicso is counting preamble
bits as well as an indication of real traffic on the wire which would likely
explain the byte count difference (or it may be the Cisco includes headers and
racount is counting payload?).
23049837 packets input, 2055889410 bytes, 0 no buffer
23658065 packets output, bytes, 0 underruns
Now to figure out why perl thinks it sees some 15 gigs of data from
the ra output of the same file:
15,615,365,571 all machines
A quick check (unless I screwed the test up) didn't show any cases
where the reported byte count wouldn't fit in the number of 1500 byte
packets ra reported (which in 1.7 used to be how I found bogus counts) so I
guess I'll have to do something else.
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
More information about the argus