service availability analysis with Argus

Carter Bullard carter at qosient.com
Wed Feb 21 14:07:07 EST 2001 

Gentle people,
   I'm now starting the descriptions of some of the
things that you can do with the new argus().  Some
of the features we have not discussed on the list
yet, and so here goes with one features of ragator().

   Sorry for the html format, but it helps to get the
example output into a viewable state.

   Ragator() supports a "-V" option, which tells ragator() to
merge records based on the connectivity state of a given flow.
The result of using this option, is that while a flow is
in a particular connected state (up or down) records will
be merged together.  With the right kind of flow and flow
merging strategy, you'll get a single record while the flow
is up, and another single record while the flow is down.

   For instance, with my Windows 2000 Enterprise Server,
it makes DNS request rather often, and always uses the same
source and destination ports.  If I want to find out when
my availability to a given DNS server went down,
say yesterday for instance, I just run:

   ragator -Vr archive/2001/02/21/* - host 151.198.0.38 and port 53

2001-02-16 12:40:19.043281   300000.090430    man version=2.0
probeid=192.168.0.132
STA
        Start_Time              Duration     Type     SrcAddr    Sport  Dir
DstAddr    Dport  SrcPkt   Dstpkt    SrcBytes     DstBytes   State
2001-02-19 23:54:49.167242        0.061103    udp    192.168.0.16.1070  <->
151.198.0.38.53    1        1         76           187         ACC
2001-02-20 00:56:18.271511      689.015013    udp    192.168.0.16.1070   ->
151.198.0.38.53    24       0         1824         0           INT
2001-02-20 01:10:37.685365    67552.709543    udp    192.168.0.16.1070  <->
151.198.0.38.53    49       48        3981         12641       CON
2001-02-20 20:06:45.915523        0.000000    udp    192.168.0.16.1070   ->
151.198.0.38.53    1        0         79           0           INT
2001-02-20 20:31:17.043918     6017.070789    udp    192.168.0.16.1070  <->
151.198.0.38.53    9        9         770          2367        CON

   Since, for the most part, flow connectivity is equivalent
to service availability (at least from a network perspective),
from this you can build a very nice service availability
meter.

   With the above example, you can say DNS was down at 00:56:18
and was unavailable until 01:10:37 and then again it was
unavailable at 20:06:45 .  Now, the first outage is definitely an outage,
multiple requests, no answer,  and the first time you get a response
back you know that its up again.  Now with the second unanswered,
request, you don't know if the packet was just dropped by the network
or if the service was actually unavailable.  Two argi can, or course,
solve that problem for you.

   For DNS clients that have a separate flow per request,
a simple ragator() flow configuration file that masks out
the source port number, does the trick, so that the multiple
transactions from one client to the same server and server
port, will be merged together.  These clients generate better information
as argus unambiguously determines if there was a response or not.

   Comments?  I sense that this could be a complex topic
for the uninitiated, so does anyone have an opinion how
we can best present this type of functionality?  FAQ? HOW-TO?


Carter


Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 588-9133
Fax   +1 212 588-9134


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20010221/10054d4f/attachment.html>

More information about the argus mailing list