Argus-2.0 byte count strategy
Peter Van Epp
vanepp at sfu.ca
Sun Oct 1 23:28:23 EDT 2000
>
> Hey Peter,
> So there is a signal issue and a byte count issue.
> Regarding the SIG_HUP, Argus-2.0 should handle this well,
> so we'll need to look into that. It should flush all
> records that it is tracking. I suspect that if you compiled
> in the debug support and ran it in debug mode -d2, you
> would see some different behavior (maybe?). Use -d4 to
> see if its writing out the record to the other processes.
With both -d4 and -d6 it doen't report anything when the data hits
the interface (-d6 produces timeout records, but thats all):
argus_bpf -ixl0 -P0 -d4 -w t1
argus_bpf[15215]: 970456584.899406 ArgusCalloc (1, 8) returning 0x813c080
argus_bpf[15215]: 970456584.899406 ArgusNewList () returning 0x813c080
argus_bpf[15215]: 970456584.899406 ArgusCalloc (1, 8) returning 0x813c090
argus_bpf[15215]: 970456584.899406 ArgusCalloc (1, 12) returning 0x813c0b0
argus_bpf[15215]: 970456584.899406 ArgusOutputProcess[15216] created
argus_bpf[15216]: 970456584.899406 ArgusGenerateInitialMar() returning
argus_bpf[15215]: 970456584.899406 ArgusInitOutput() returning
argus_bpf[15216]: 970456584.899406 ArgusSendOutputData(5, 0x8079900) wrote 128 b
ytes returning
argus_bpf[15217]: 970456584.899406 ArgusInitClientProcess: created outfile t1
argus_bpf[15216]: 970456584.899406 ArgusSendInitialMar(5) returning
argus_bpf[15215]: 970456584.899406 ArgusCalloc (65536, 4) returning 0x813e000
argus_bpf[15217]: 970456584.899406 ArgusCalloc (1, 32) returning 0x813b060
argus_bpf[15216]: 970456584.899406 ArgusFree (0x813c090) returning
argus_bpf[15215]: 970456584.899406 ArgusCalloc (1, 32) returning 0x813b060
argus_bpf[15217]: 970456584.899406 ArgusCalloc (1, 8) returning 0x813c0c0
argus_bpf[15216]: 970456584.899406 ArgusFree (0x813c0b0) returning
argus_bpf[15215]: 970456584.899406 ArgusCalloc (1, 8) returning 0x813c0c0
argus_bpf[15217]: 970456584.899406 ArgusNewList () returning 0x813c0c0
argus_bpf[15216]: 970456584.899406 ArgusInitOutputProcess() returning
argus_bpf[15215]: 970456584.899406 ArgusNewList () returning 0x813c0c0
argus_bpf[15217]: 970456584.899406 ArgusNewSocket (6) returning 0x813b060
argus_bpf[15215]: 970456584.899406 ArgusNewSocket (3) returning 0x813b060
argus_bpf[15217]: 970456584.899406 ArgusInitClientProcess(0x813d008, t1) returni
ng
argus_bpf[15215]: 970456584.899406 ArgusCalloc (1, 20) returning 0x813b080
argus_bpf[15217]: 970456584.906154 ArgusProcessOutputSocket: received start reco
rd
argus_bpf[15215]: 970456584.899406 ArgusCalloc (128, 4) returning 0x817e000
argus_bpf[15215]: 970456584.899406 ArgusNewQueue () returning 0x813b080
argus_bpf[15215]: 970456584.899406 ArgusInitModeler(): ArgusHashArray 0x813e000
argus_bpf[15215]: 970456584.899406 ArgusFree (0x813c060) returning
argus_bpf[15215]: 970456584.899406 ArgusFree (0x813c070) returning
argus_bpf[15215]: 970456584.899406 ArgusInitSource() returning
gets here on start (before any data sent)
tcpreplay sends data no output here
control c
^Cargus_bpf[15215]: 970456635.509550 ArgusFree (0x813c040) returning
argus_bpf[15215]: 970456635.509550 ArgusFree (0x813c050) returning
argus_bpf[15215]: 970456635.509550 ArgusDeleteList (0x813c050) returning
argus_bpf[15215]: 970456635.509550 ArgusDeleteSource() deleting ArgusSourceTask
0x813c040
argus_bpf[15215]: 970456635.509550 ArguGenerateClosingMar() returning
argus_bpf[15216]: 970456635.518902 ArgusOutputProcess: ArgusHandleData() final r
ecord
argus_bpf[15217]: 970456635.518980 ArgusProcessOutputSocket: received last recor
d
argus_bpf[15217]: 970456635.518980 ArgusClientProcess(0x813d008, 0x813c0a0) exit
ing
argus_bpf[15215]: 970456635.509550 ArgusModelerCleanUp () returning
argus_bpf[15216]: 970456635.518902 ArgusOutputProcess() killing client 0 pid 152
17
argus_bpf[15215]: 970456635.509550 ArgusFree (0x817e000) returning
argus_bpf[15216]: 970456635.518902 ArgusCloseSocket(0) returning
argus_bpf[15215]: 970456635.509550 ArgusFree (0x813b080) returning
argus_bpf[15216]: 970456635.518902 ArgusOutputProcess() exiting
argus_bpf[15215]: 970456635.509550 ArgusDeleteQueue (0x813b080) returning
argus_bpf[15215]: 970456635.509550 ArgusFree (0x813c030) returning
argus_bpf[15215]: 970456635.509550 ArgusFree (0x813e000) returning
argus_bpf[15215]: 970456635.509550 ArgusFree (0x813c0c0) returning
argus_bpf[15215]: 970456635.509550 ArgusDeleteList (0x813c0c0) returning
argus_bpf[15215]: 970456635.509550 ArgusFree (0x813b060) returning
argus_bpf[15215]: 970456635.509550 ArgusDeleteSocket (0x813b060) returning
argus_bpf[15215]: 970456635.509550 ArgusDeleteModeler() ArgusModeler 0x813c030,
HashArray 0x813e000
argus_bpf[15215]: 970456635.509550 ArgusCloseClients() waiting for Output Task 1
5216
argus_bpf[15215]: 970456635.509550 ArgusCloseClients() returning
argus_bpf[15215]: 970456635.509550 ArgusFree (0x813d000) returning
argus_bpf[15215]: 970456635.509550 ArgusDeleteOutput() returning
argus_bpf[15215]: 970456635.509550 ArgusShutDown() ArgusCallocTotal 13 ArgusFree
Total 11
demoa# ls -l t1
-rw-r--r-- 1 root unsupped 256 Oct 1 20:17 t1
argus_bpf -ixl0 -P0 -d6 -w t1
argus_bpf[15229]: 970456821.002220 ArgusCalloc (1, 8) returning 0x813c080
argus_bpf[15229]: 970456821.002220 ArgusNewList () returning 0x813c080
argus_bpf[15229]: 970456821.002220 ArgusCalloc (1, 8) returning 0x813c090
argus_bpf[15229]: 970456821.002220 ArgusCalloc (1, 12) returning 0x813c0b0
argus_bpf[15229]: 970456821.002220 ArgusPushFrontList (0x813c080, 0x813c090) ret
urning 0x813c090
argus_bpf[15229]: 970456821.002220 ArgusOutputProcess[15230] created
argus_bpf[15230]: 970456821.002220 ArgusFrontList (0x813c080) returning 0x813c09
0
argus_bpf[15229]: 970456821.002220 ArgusInitOutput() returning
argus_bpf[15230]: 970456821.002220 ArgusGenerateInitialMar() returning
argus_bpf[15229]: 970456821.002220 ArgusCalloc (65536, 4) returning 0x813e000
argus_bpf[15230]: 970456821.002220 ArgusSendOutputData(5, 0x8079900) wrote 128 b
ytes returning
argus_bpf[15229]: 970456821.002220 ArgusCalloc (1, 32) returning 0x813b060
argus_bpf[15230]: 970456821.002220 ArgusSendInitialMar(5) returning
argus_bpf[15229]: 970456821.002220 ArgusCalloc (1, 8) returning 0x813c0c0
argus_bpf[15231]: 970456821.002220 ArgusInitClientProcess: created outfile t1
argus_bpf[15231]: 970456821.002220 ArgusCalloc (1, 32) returning 0x813b060
argus_bpf[15231]: 970456821.002220 ArgusCalloc (1, 8) returning 0x813c0c0
argus_bpf[15231]: 970456821.002220 ArgusNewList () returning 0x813c0c0
argus_bpf[15231]: 970456821.002220 ArgusNewSocket (6) returning 0x813b060
argus_bpf[15231]: 970456821.002220 ArgusInitClientProcess(0x813d008, t1) returni
ng
argus_bpf[15231]: 970456821.008362 ArgusProcessOutputSocket: received start reco
rd
argus_bpf[15231]: 970456821.008362 ArgusWriteSocket (0x813b060, 0x80799a0, 128)
returning 128
argus_bpf[15231]: 970456821.008362 ArgusClientProcess: ArgusWriteSocket returned
128
argus_bpf[15231]: 970456821.008362 ArgusProcessOutputSocket: returning 128
argus_bpf[15230]: 970456821.002220 ArgusFree (0x813c090) returning
argus_bpf[15230]: 970456821.002220 ArgusFree (0x813c0b0) returning
argus_bpf[15230]: 970456821.002220 ArgusPopFrontList (0x813c080) returning
argus_bpf[15230]: 970456821.002220 ArgusInitOutputProcess() returning
argus_bpf[15229]: 970456821.002220 ArgusNewList () returning 0x813c0c0
argus_bpf[15229]: 970456821.002220 ArgusNewSocket (3) returning 0x813b060
argus_bpf[15229]: 970456821.002220 ArgusCalloc (1, 20) returning 0x813b080
argus_bpf[15229]: 970456821.002220 ArgusCalloc (128, 4) returning 0x817e000
argus_bpf[15229]: 970456821.002220 ArgusNewQueue () returning 0x813b080
argus_bpf[15229]: 970456821.002220 ArgusInitModeler(): ArgusHashArray 0x813e000
argus_bpf[15229]: 970456821.002220 ArgusFrontList (0x813c050) returning 0x813c06
0
argus_bpf[15229]: 970456821.002220 ArgusFree (0x813c060) returning
argus_bpf[15229]: 970456821.002220 ArgusFree (0x813c070) returning
argus_bpf[15229]: 970456821.002220 ArgusPopFrontList (0x813c050) returning
argus_bpf[15229]: 970456821.002220 ArgusInitSource() returning
argus_bpf[15229]: 970456822.262366 ArgusProcessQueue (0x813b080, 4) returning
argus_bpf[15229]: 970456822.262366 ArgusSystemTimeout () returning
argus_bpf[15229]: 970456823.312396 ArgusProcessQueue (0x813b080, 4) returning
argus_bpf[15229]: 970456823.312396 ArgusSystemTimeout () returning
argus_bpf[15229]: 970456824.362403 ArgusProcessQueue (0x813b080, 4) returning
argus_bpf[15229]: 970456824.362403 ArgusSystemTimeout () returning
argus_bpf[15229]: 970456825.412414 ArgusProcessQueue (0x813b080, 4) returning
argus_bpf[15229]: 970456825.412414 ArgusSystemTimeout () returning
argus_bpf[15229]: 970456826.462427 ArgusProcessQueue (0x813b080, 4) returning
argus_bpf[15229]: 970456826.462427 ArgusSystemTimeout () returning
argus_bpf[15229]: 970456827.512454 ArgusProcessQueue (0x813b080, 4) returning
argus_bpf[15229]: 970456827.512454 ArgusSystemTimeout () returning
argus_bpf[15229]: 970456828.562479 ArgusProcessQueue (0x813b080, 4) returning
argus_bpf[15229]: 970456828.562479 ArgusSystemTimeout () returning
argus_bpf[15229]: 970456829.612497 ArgusProcessQueue (0x813b080, 4) returning
argus_bpf[15229]: 970456829.612497 ArgusSystemTimeout () returning
argus_bpf[15229]: 970456830.662516 ArgusProcessQueue (0x813b080, 4) returning
argus_bpf[15229]: 970456830.662516 ArgusSystemTimeout () returning
argus_bpf[15229]: 970456831.712513 ArgusProcessQueue (0x813b080, 4) returning
argus_bpf[15229]: 970456831.712513 ArgusSystemTimeout () returning
argus_bpf[15229]: 970456832.762529 ArgusProcessQueue (0x813b080, 4) returning
argus_bpf[15229]: 970456832.762529 ArgusSystemTimeout () returning
argus_bpf[15229]: 970456833.812544 ArgusProcessQueue (0x813b080, 4) returning
argus_bpf[15229]: 970456833.812544 ArgusSystemTimeout () returning
argus_bpf[15229]: 970456834.862575 ArgusProcessQueue (0x813b080, 4) returning
argus_bpf[15229]: 970456834.862575 ArgusSystemTimeout () returning
argus_bpf[15229]: 970456835.912571 ArgusProcessQueue (0x813b080, 4) returning
argus_bpf[15229]: 970456835.912571 ArgusSystemTimeout () returning
argus_bpf[15229]: 970456836.962617 ArgusProcessQueue (0x813b080, 4) returning
argus_bpf[15229]: 970456836.962617 ArgusSystemTimeout () returning
argus_bpf[15229]: 970456838.012606 ArgusProcessQueue (0x813b080, 4) returning
argus_bpf[15229]: 970456838.012606 ArgusSystemTimeout () returning
argus_bpf[15229]: 970456839.062618 ArgusProcessQueue (0x813b080, 4) returning
argus_bpf[15229]: 970456839.062618 ArgusSystemTimeout () returning
in here tcpreplay spat out its packets then a control C. It doesn't seem to see
any packets from the flow of 9 packets.
^Cargus_bpf[15229]: 970456839.902648 ArgusFree (0x813c040) returning
argus_bpf[15229]: 970456839.902648 ArgusFree (0x813c050) returning
argus_bpf[15229]: 970456839.902648 ArgusDeleteList (0x813c050) returning
argus_bpf[15229]: 970456839.902648 ArgusDeleteSource() deleting ArgusSourceTask
0x813c040
argus_bpf[15229]: 970456839.902648 ArguGenerateClosingMar() returning
argus_bpf[15230]: 970456840.036803 ArgusOutputProcess: ArgusHandleData() final r
ecord
argus_bpf[15231]: 970456840.036883 ArgusProcessOutputSocket: received last recor
d
argus_bpf[15231]: 970456840.036883 ArgusWriteSocket (0x813b060, 0x80799a0, 128)
returning 128
argus_bpf[15231]: 970456840.036883 ArgusClientProcess: ArgusWriteSocket returned
128
argus_bpf[15231]: 970456840.036883 ArgusProcessOutputSocket: returning 128
argus_bpf[15231]: 970456840.036883 ArgusClientProcess(0x813d008, 0x813c0a0) exit
ing
argus_bpf[15229]: 970456839.902648 ArgusWriteSocket (0x813b060, 0x8079900, 128)
returning 128
argus_bpf[15230]: 970456840.036803 ArgusHandleData(0x80799a0, 128) returning 1
argus_bpf[15229]: 970456839.902648 ArgusModelerCleanUp () returning
argus_bpf[15230]: 970456840.036803 ArgusOutputProcess() killing client 0 pid 152
31
argus_bpf[15229]: 970456839.902648 ArgusPopQueue (0x813b080) returning 0x0
argus_bpf[15230]: 970456840.036803 ArgusCloseSocket(0) returning
argus_bpf[15229]: 970456839.902648 ArgusFree (0x817e000) returning
argus_bpf[15230]: 970456840.036803 ArgusOutputProcess() exiting
argus_bpf[15229]: 970456839.902648 ArgusFree (0x813b080) returning
argus_bpf[15229]: 970456839.902648 ArgusDeleteQueue (0x813b080) returning
argus_bpf[15229]: 970456839.902648 ArgusFree (0x813c030) returning
argus_bpf[15229]: 970456839.902648 ArgusFree (0x813e000) returning
argus_bpf[15229]: 970456839.902648 ArgusFree (0x813c0c0) returning
argus_bpf[15229]: 970456839.902648 ArgusDeleteList (0x813c0c0) returning
argus_bpf[15229]: 970456839.902648 ArgusFree (0x813b060) returning
argus_bpf[15229]: 970456839.902648 ArgusDeleteSocket (0x813b060) returning
argus_bpf[15229]: 970456839.902648 ArgusDeleteModeler() ArgusModeler 0x813c030,
HashArray 0x813e000
argus_bpf[15229]: 970456839.902648 ArgusCloseClients() waiting for Output Task 1
5230
argus_bpf[15229]: 970456839.902648 ArgusCloseClients() returning
argus_bpf[15229]: 970456839.902648 ArgusFree (0x813d000) returning
argus_bpf[15229]: 970456839.902648 ArgusDeleteOutput() returning
argus_bpf[15229]: 970456839.902648 ArgusShutDown() ArgusCallocTotal 13 ArgusFree
Total 11
>
> The byte counts are due to Argus-2.0 reporting bytes
> differently from Argus-1.8.1. We discussed this
> briefly on the list, and now is probably a great time
> to talk it through. Argus-2.0 is not doing the right
> thing, so lets decide what the right thing is.
>
> We should be reporting total bytes above IP, as derived from
> the packet headers. In argus-1.8.1 we are subtracting
> ether, IP header and transport header length from the
> reported bytes, so Argus-1.8.1 you get user bytes. So
> Argus-2.0 is reporting something in between total bytes
> and user bytes. So that's expected.
>
> We should support both in Argus-2.0. Possibly a -A switch
> for application bytes, and default reporting total
> bytes? Do we want any other strategies
I'd like to see total bytes be the entire packet as received (ether
IP headers and transport) or at least that be an option so I can see all the
traffic transitting the link for traffic charging.
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
More information about the argus
mailing list