More Questions

Mark Poepping poepping at cmu.edu
Wed Mar 24 10:28:55 EST 1999 

As I recall, the time-span feature will report any flow that
intersects with the specified time.  So if you log in in the
morning and log out at 7pm, both of the reports will show the
same flow..

I'm not sure what question you're trying to answer, but when
we added the time-logic, it was primarily in order to see what
was active at any particular time.

mark.


> -----Original Message-----
> From: owner-argus at lists.andrew.cmu.edu
> [mailto:owner-argus at lists.andrew.cmu.edu]On Behalf Of Carter Bullard
> Sent: Wednesday, March 24, 1999 9:55 AM
> To: 'Kevin C Miller'; argus at lists.andrew.cmu.edu
> Subject: RE: More Questions
> 
> 
> Hey Kevin,
>    Hmmm, I'm somewhat confused by your example.  With the
> two queries, you appear to be getting the exact same record
> matching.  Is this the case, or did you cut/copy/paste
> incorrectly?
> 
> Carter
> 
> -----Original Message-----
> From: Kevin C Miller [mailto:kevinm+ at andrew.cmu.edu]
> Sent: Tuesday, March 23, 1999 6:29 PM
> To: argus at lists.andrew.cmu.edu
> Subject: More Questions
> 
> 
> I have another question regarding date/time. I've been collecting stats
> on a low-bandwidth net for awhile and am just starting to play with the
> data. Yesterday we had a connection which first appears here:
> 
> rymon.net.cmu.edu# ra -r /home/argus/logs/lister.log.19990322 -c -n -t
> 03/22/99.8:35-03/22/99.8:40
> 
> [snip]
> Mon 03/22 08:39:32 *    tcp      128.2.6.64.33594  ->       128.2.6.2.22
>    15929  16572   2063955   3828550  CLO
> ---
> So apparently this is a 'normal' SSH connection except that there were
> packet retransmissions.
> 
> This is the first five minute period I see this, however I continue
> seeing it listed throughout the day, until the 18:25-18:30 period.
> 
> rymon.net.cmu.edu# ra -r /home/argus/logs/lister.log.19990322 -c -n -t
> 03/22/99.18:20-03/22/99.18:25
> 
> [snip]
> Mon 03/22 08:39:32 *    tcp      128.2.6.64.33594  ->       128.2.6.2.22
>    15929  16572   2063955   3828550  CLO
> 
> ---
> 
> So, does this indicate that packets from this transmission were being
> re-transmitted throughout the day?
> 
> Related Question: Is there any functionality at present to apply the
> time specified by -t only to the beginning of transactions? I would like
> to count transactions only once, and this seems like an appropriate way.
> If it isn't possible with the current release, I'll look into adding an
> option to do this.
> 
> Kevin
> 
> 
> 
> ====================================================================
> Kevin C. Miller   -   Carnegie Mellon University   -       Sophomore
> kevinm at abtech.org -   School of Computer Science   -    412-862-3487
> --------------------------------------------------------------------
>

More information about the argus mailing list