Ethernet splitters
Russell Fulton
r.fulton at auckland.ac.nz
Wed Aug 4 17:17:09 EDT 1999
On Wed, 4 Aug 1999 09:59:52 -0400 Carter Bullard
<cbullard at nortelnetworks.com> wrote:
>
> So, if Cisco routers are reporting total bytes on the link,
> then we've got 14 bytes of ethernet header, 20 bytes of IP header
> and TCP (20), UDP (8) and generic IP flows (0), gives us
> an average overhead correction between 32-54 bytes/packet.
> The minimum ICMP packet payload is 28 bytes, so depending on
> the traffic mix, your missing 2.5 gig is not bad.
>
>From memory, CISCO accounting reports all IP bytes but not any link
framing bytes. i.e. tcp/ip headers are included but
ethernet/fiddi/whatever overheads are not. We went through this whit
NeTraMet.
Hmmmm.... Peter, if you are interested in counting bytes accurately
then you can run Netramet of the same machine as you run argus.
(assuming there are enough cpu cycles) I run Netramet and argus on a
75MHz pentium monitoring our DMZ which has packet rates of around
1200-1500pps during the day. CPU stays around 10% except when I am
compressing agrus file.
more info on NeTraMet at
ftp://ftp.auckland.ac.nz/pub/iawg/NeTraMet/
The main advantage of Netramet is that you can do alot of data
reduction on the meter.
Cheers, Russell.
Russell Fulton,
More information about the argus
mailing list