Ethernet splitters

Carter Bullard cbullard at nortelnetworks.com
Wed Aug 4 09:59:52 EDT 1999 

Hey Peter,
Two things.  First, as you notice the number of packets
received by Argus and the number racount packet counts 
indicates that Argus is not reporting a few packets.
These are mostly ICMP packets that are in the "missing"
category.  I'm working on this one.

Second, Argus is not trying to report accurate
total datagram bytes.  We report on payload bytes for
TCP, UDP and generic IP flows, so no ethernet header
bytes, or IP header bytes in these reports, and we do
not report any packet bytes for ICMP flows, as we are
overloading the data fields trying to get the source and
ICMP indications in the limited size we have for Argus
reports.

So, if Cisco routers are reporting total bytes on the link,
then we've got 14 bytes of ethernet header, 20 bytes of IP header
and TCP (20), UDP (8) and generic IP flows (0), gives us
an average overhead correction between 32-54 bytes/packet.
The minimum ICMP packet payload is 28 bytes, so depending on
the traffic mix, your missing 2.5 gig is not bad.

A forumla like this gives us (assuming ethernet headers were
included in the Cisco report, and no IP options):

  minimum missing bytes =  46734458( total pkts) * 
                  ((14 ethernet + 20 IP header) + 
                  (%ICMP*28 + %TCP*20 + %UDP*8 + %IP*0)

with a traffic mix like 5% ICMP, 90% TCP and 5% UDP gives:
  minimum missing bytes = 46734458 * ((34) + 19.80)
                        = 2514313840.40

which is not too bad.  I'm sure if we had real percentages then
we would be able to get a  better estimate.


Hope this helps,

Carter


-----Original Message-----
From: Peter Van Epp [mailto:vanepp at sfu.ca]
Sent: Tuesday, August 03, 1999 4:18 PM
To: Carter Bullard
Subject: Re: Ethernet splitters


	That works better and leaves a puzzle. racount thinks it saw some

2.7 gigs of data

% argus_bpf -r tcpdump.log -w - | racount -c -n | more

46734458 packets recv'd by filter
0 packets dropped by kernel
racount: totrcds        1622237 rcds    1622235 pkts     46609022       bytes   
2716007761

when the Cisco thinks it delivered around 5.2 gigs total in bytes for around
the same number of packets. It is possible that the Cicso is counting preamble
bits as well as an indication of real traffic on the wire which would likely
explain the byte count difference (or it may be the Cisco includes headers and
racount is counting payload?).

     23049837 packets input, 2055889410 bytes, 0 no buffer

     23658065 packets output,   bytes, 0 underruns

	Now to figure out why perl thinks it sees some 15 gigs of data from 
the ra output of the same file:

15,615,365,571 all machines

	A quick check (unless I screwed the test up) didn't show any cases 
where the reported byte count wouldn't fit in the number of 1500 byte 
packets ra reported (which in 1.7 used to be how I found bogus counts) so I
guess I'll have to do something else.

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

More information about the argus mailing list