Ethernet splitters
Peter Van Epp
vanepp at sfu.ca
Wed Aug 4 19:45:25 EDT 1999
Netramet is probably a good bet because I currently have an identical
pair of 450 meg P2s (intended eventually to be one for each OC3 card). I'm
currently poking at why my perl script that parses ra output reports about 15
gigs of data when the Cisco only sees 5 gigs and racount only sees about 2.5
gigs (all from the same tcpdump file). I just ran a perl script through the
tcpdump file to accumulate length counts for IP pairs so I can compare to the
argus output and maybe find the problem (which may be my perl script).
Because my DMZ is OC3 (and possibly soon Gigether) I'd prefer to be
able to grab somewhat accurate counts from argus. I'm more interested in lab
PCs with a higher data rate than the campus web or news servers (because it
usually indicates a rogue warez or mp3 site on one of our machines).
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
>
>
> On Wed, 4 Aug 1999 09:59:52 -0400 Carter Bullard
> <cbullard at nortelnetworks.com> wrote:
>
> >
> > So, if Cisco routers are reporting total bytes on the link,
> > then we've got 14 bytes of ethernet header, 20 bytes of IP header
> > and TCP (20), UDP (8) and generic IP flows (0), gives us
> > an average overhead correction between 32-54 bytes/packet.
> > The minimum ICMP packet payload is 28 bytes, so depending on
> > the traffic mix, your missing 2.5 gig is not bad.
> >
>
> >From memory, CISCO accounting reports all IP bytes but not any link
> framing bytes. i.e. tcp/ip headers are included but
> ethernet/fiddi/whatever overheads are not. We went through this whit
> NeTraMet.
>
> Hmmmm.... Peter, if you are interested in counting bytes accurately
> then you can run Netramet of the same machine as you run argus.
> (assuming there are enough cpu cycles) I run Netramet and argus on a
> 75MHz pentium monitoring our DMZ which has packet rates of around
> 1200-1500pps during the day. CPU stays around 10% except when I am
> compressing agrus file.
>
> more info on NeTraMet at
>
> ftp://ftp.auckland.ac.nz/pub/iawg/NeTraMet/
>
> The main advantage of Netramet is that you can do alot of data
> reduction on the meter.
>
> Cheers, Russell.
>
> Russell Fulton,
>
>
More information about the argus
mailing list