Stats from argus logs

John A. Lauro jlauro at umich.edu
Thu Nov 2 16:00:42 EST 2000 

> We run both argus and Netramet.  We use Netramet for doing accounting
> down to individual IP.  (You could do this fairly efficently now with
> argus-2.0 and ragator (which incorporates many features of Netramet),
> once Carter has done the doc ;-) We also use Netramet for collecting
> traffic rate stats such as distributions of bitrates for flows (based
> on 10 second samples) -- something else that is only sparsely
> documented.

Ok, it sounds like argus-2.0 and ragator will do what I want in the
future (now?).  At least for now there is mainly just one place I
need to monitor that requires any data beyond simple packet and byte
count... It would be interesting to run Netramet on my backbone switch
with all it's layer 3 gigabit interfaces, but that will have to wait
till the next generation of switches/routers....

> Have a look at http://kaka.itss.auckland.ac.nz:999 the current plots
> (last couple of days) are broken but the ones from earlier in the week
> are OK.

FYI...  Todays and yesterdays aren't working, but I was able to have
a look at the weekly plots...


> Netramets strength lie in its ability to do the data reduction on the
> meter thus reducing the amount of data you need to drag back over the
> network.
>
> If I were starting from scratch now building a monitoring system for a
> single network I would probably just go for Argus 2.0 and ragator.

Ok, sounds good.  Where do I get Argus 2.0 and ragator?  1.8.1 seems
to be the latest on the ftp sites?  Is there a web home page for
Argus? Are the log files compatible between 1.8.1 and 2.0?


> Where Netramet comes into its own is where you want to monitor a
> geographically dispersed network.  At one stage I was part of a team
> that managed the Kawaihiko network (The NZ Universities portion of the
> Internet).  Sites were billed by a complicated system of bandwidth
> measurement based on 5 minute samples taken by meters at each site
> (if you are interesed in the details see the article by Nevil and me in
> Aug 2000 issue of IEEE Communications Magazine page 162).  I had meters
> at ever site with ran identical rule sets that defined flows between
> each site which were read by a process on my workstation.

Down the road I do have an application where the more distributed
nature of Netramet might be useful.  However, short-mid term I would
like to just stuff my current argus logs in something (ragator?) that
can combine the flows the way I want them summarized...

> Netramet is also useful for very high bandwidth conenctions where
> keeping argus style audit records is either unmanagable or unnecessary.
> There are several sites running netramet on OC3 (Janet UK) and one at
> OC12 (NASA). Nevil is currently experimenting with OC48 using special
> ATM card.

Hmmm...  wonder what kind of CPU you would need for port mirroring a
group of gigabit ports... The switch would drop some packets under
high load to the mirroed port, so it wouldn't be good for auditlogs,
but I assume the ratios for traffic patterns would probably stay
close....  I guess I don't need to worry about that until any of the
gigabit ports start running near capacity on a regular basis without
knowing why....

I assume we are not alone in being more concerned with external
traffic then local traffic...  It seems strange to me how it costs
more for the yearly ongoing costs of a few T1s going off site then the
one time costs for a router with several gigabit ports and serveral
layer 2 gigabit switches togo with it...

---------------------------------------------------------------------------
John Lauro                          email: jlauro at flint.umich.edu
University of Michigan - Flint             jlauro at umich.edu
Information Technology Services
303 E. Kearsley St.                 phone: (810) 762-3123
Flint, MI  48502                      fax: (810) 766-6805

More information about the argus mailing list