argus-2.0.0Q, RA clients that buffer and dump data.

Chris Newton newton at unb.ca
Tue Jan 16 10:12:18 EST 2001 

>===== Original Message From <carter at qosient.com> =====
>Hey Chris,
>In the argus-2.0 package we have a few clients
>that do buffer records and write them all out
>when they are done, rasort(), ramon() and ragator().
>But they terminate, at the time they "flush" all
>their data.
>
>However you maybe able to do what you want with
>the existing package.  I would be this:
>
>   ra -S remotehost -w ra.out &
>
>This generates a persistent ra that is gathering
>records from remote host and putting the records
>it gets into the file ra.out. Have that running
>constantly.  The file ra.out is your buffer.
>
>Now every 10 minutes you can have a shell script
>that mv's ra.out to another filename, say tempfile.
>The persistent running ra (above) will recreate
>ra.out when it goes to write out its next record
>from the remote argus record.  All the ra* programs
>will recreate their output when they realizes that
>it no longer exists.
>
>This strategy gives you your 10 minute argus data
>buffer.  Now you can use any ra* file to process
>it.

  That might work in fact, however, I was thinking more like 10 seconds... 
will ra still behave properly?  Also, do I understand correctly, that I could 
start argus, to write it's output to a detailed binary argus file, AND ask ra 
to output ascii text flow records with ra -w file?  If so, this would work 
really well for me.


>It also would be very straight forward to add this
>feature to one of the ra* programs, but ...
>I'm trying to imagine what your application.  That
>might help me to understand how I can help.

  Basically, I am trying to generate flow statistics for our link, at a high 
time resolution (relatively), like about 10 seconds and up... max, of no more 
than 5 minutes.  I'll take these flow statistics and generate byte and packet 
counts for our link.


>Is the desire to aggregate common records together
>before you "burst" them, or do you want to sort them?
>What are they flushing there data to, a pipe or a
>socket, stdout or a file?


  The idea is to 'right now' (10 seconds of now), generate byte counts and 
packet counts for the link.  ie: quasi realtime.  I don't want to process an 
hour/day's worth of flow data at the end of the day/hour.  So, the idea is to 
recieve a burst, that represents all the IN/OUT traffic that happened in that 
10 seconds.  I'll then use something like MRTG to graph it, or some other tool 
(rrdtool, gdchart, or others... havent decided what it will be yet).  I know I 
could generate byte and packet counts in easier ways, but I want the flow logs 
around to look at later if I see problems.


>
>Carter
>
>Carter Bullard
>QoSient, LLC
>300 E. 56th Street, Suite 18K
>New York, New York  10022
>
>carter at qosient.com
>Phone +1 212 813-9426
>Fax   +1 212 813-9426
>
>> -----Original Message-----
>> From: Chris Newton [mailto:newton at unb.ca]
>> Sent: Tuesday, January 16, 2001 7:30 AM
>> To: Argus (E-mail); Carter Bullard
>> Subject: RE: argus-2.0.0Q, RA clients that buffer and dump data.
>>
>>
>> Hi all,
>>
>>   I was wondering if ra could be made (I don't think it does
>> this currently),
>> to read from a remote argus server, or file, and buffer it's
>> output for a
>> specified time period.
>>
>>   Basically, I have an application for argus (I am currently
>> using another
>> flow generation software, that has fallen from active
>> development, and so I
>> wish to discontinue it's use), where I need the client that
>> reads from the
>> server, to burst it's output on an interval.  IE:  ra -burst
>> 10, would cause
>> ra to read from the server for 10 seconds, and then dump the
>> output to stdout,
>> instead of it's current behavior of automatically dumping to
>> stdout, all
>> stream it reads from the argus server/file.
>>
>>   Is this doable with the way ra is currently architected?
>> If you haven't
>> guessed, I'm no C programmer, unfortunatly.
>>
>>   Or, does anyone know of a program that is designed to
>> buffer, like I mention
>> above, that I can simply dump ra output into continuously?
>> Something like:
>>
>>   ra {parameters} | buffer -burst 10
>>
>> Thanks for any suggestions.
>>
>> Chris
>>
>>
>> >===== Original Message From <carter at qosient.com> =====
>> >Gentle people,
>> >   Argus-2.0.0Q is now available.
>> >ftp://qosient.com/dev/argus/argus-2.0/argus-2.0.0Q.tar.gz
>> >This release has a minor change to argus to tag IPX SAP
>> >transactions with the correct ethernet type.  Other changes
>> >have been format or cosmetic. Not a major modification
>> >to argus.
>> >
>> >The majority of the work in this release is in docs and
>> >man pages.  The FAQ has some new diagrams and the man1
>> >pages have some improvements, particularly ra.1, rasort.1,
>> >and rapath.1.
>> >
>> >Please use this version for all testing.
>> >
>> >Unless we get a bug report on argus this week, argus
>> >server software is now frozen.  Client software is now
>> >the focus of all last effort development.
>> >
>> >Thanks for all the testing!!!!!
>> >
>> >Carter
>> >
>> >
>> >Carter Bullard
>> >QoSient, LLC
>> >300 E. 56th Street, Suite 18K
>> >New York, New York  10022
>> >
>> >carter at qosient.com
>> >Phone +1 212 813-9426
>> >Fax   +1 212 813-9426
>>
>> _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/
>>
>> Chris Newton, Systems Analyst
>> Computing Services, University of New Brunswick
>> newton at unb.ca 506-447-3212(voice) 506-453-3590(fax)
>>
>>

_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/

Chris Newton, Systems Analyst
Computing Services, University of New Brunswick
newton at unb.ca 506-447-3212(voice) 506-453-3590(fax)

More information about the argus mailing list