argus-2.0.0Q, RA clients that buffer and dump data.

Carter Bullard carter at qosient.com
Tue Jan 16 11:36:34 EST 2001 

Hey Chris,
You will want to use ragator() as this is one of the
things that it does very well.   But getting a 10 sec
interval stat will require that you think about
some things that you may not have considered.  With
existing 2.0 code and a few command line options, ragator
may be able to provide you with believable 120 second stats
or better.  The configuration file needed to do this
I've included below.

Problems with existing software and your application.

Argus outputs microflow audit records based on state
and a time interval.  The -S option specifies what that
time interval will be.  The default is 60 seconds.  What
this does is guarantee that the maximum time duration
of any argus audit record is 60 seconds.  With this type
of granular data, you can't derive a 10 second event
counter.  The best you could do would be 180 second
event counter (3 * period).  In order to get 10 second
link stats, you will need to run Argus with -S 2 or -S 3,
i.e.. print status for flows every 2 seconds while they
are alive.  Depending on your traffic loads, this may
or may not be a lot of records.

OK, with that out of the way, another thing to consider
is that Argus is pretty lazy as to when it will print
out its records.  This is so we will have maximum cycles
for packet processing, rather than data output.  Argus
can be easily tuned to be more timely in reporting
audit events, but without that tuning Argus could take
as long as 30-120 seconds to print out a particular record,
depending on the protocol and when the last packet was
seen.

So Argus presents an interesting time map for its data
events.  I'll try to draw a graph.  The Ax are Argus
records in output order.  The bars are the times that
the data covers. S is the time interval specified by
the -S option, we'll say its 5 seconds.  The A's
on the X axis are the times when the A records are
actually reported.



A1 +      +---------+
A2 +                    +---+
A3 +                                      ++
A4 +  +---+
A5 +                             +----+
   |
   +----+----+----+----+----+----+----+----+----+----+
        5    10   15   20   25   30   35   40   45   50
                        secs               A A A A A
                                           1 2 3 4 5

So, several things you'll need to do and one thing
I will need to do.  Get your Argus status interval to
about 1/3 of your desired stats interval, and if its
really tight, tune argus to be more aggressive in processing
its internal queues.

I'll need to think if there is anything I can do
to enable this type of application, say add a "-B 120"
option to ragator() to hold and time sort records for
120 seconds before it starts aggregating them.

Test this out and see if it does what you want.

   ragator -S remotehost -f flowmodel.conf

Where this is the contents of flowmodel.conf
#
#label   id    SrcCIDRAddr        DstCIDRAddr         Proto  SrcPort
DstPort   ModelList  Duration
Flow     106       *                  *                 *       *        *
100        120

# label  id      SrcAddrMask     DstAddrMask      Proto  SrcPort  DstPort
Model    100      0.0.0.0          0.0.0.0          no      no       no


If you want to go for 10 second stats, run
   argus -S 2 ........

and change the 120 in the above file to 10.

If you want to do the same thing but count based on IP protocol, put a "yes"
in the proto field of Model 100.  Anyway, read the ./examples/fmodel.conf
file for suggestions on configuring ragator().

Hope this helps.

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 813-9426
Fax   +1 212 813-9426


> -----Original Message-----
>
>   The idea is to 'right now' (10 seconds of now), generate
> byte counts and
> packet counts for the link.  ie: quasi realtime.  I don't
> want to process an
> hour/day's worth of flow data at the end of the day/hour.
> So, the idea is to
> recieve a burst, that represents all the IN/OUT traffic that
> happened in that
> 10 seconds.  I'll then use something like MRTG to graph it,
> or some other tool
> (rrdtool, gdchart, or others... havent decided what it will
> be yet).  I know I
> could generate byte and packet counts in easier ways, but I
> want the flow logs
> around to look at later if I see problems.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20010116/d3a56252/attachment.html>

More information about the argus mailing list