argus to tcpdump conversion

Thu Jun 14 12:15:42 EDT 2001

Greetings,

>    Hmmmm, this should work fine.  If not, we should fix it
> so that it does work.  This filter should generate a class
> C address matrix broken out by protocol.  This works for
> me all the time no problem.

Right, that's what I thought it would do too.

> So you expect more or less than 600 output records?

Many many more.  The address ranges covered are thousands of nodes on
one side spending a day looking "The Internet" -- I would expect a lot
more than just 600 output records.

History: we're trying to use the argus data to develop peering
strategies.  Once we've gotten the /24's sorted out, we can compare with
a list of AS numbers and work out the appropriate contracts.

I don't know if it matters, but the box that gathers this data has two
interfaces, argus works from this just fine, of course, but I don't know
if it has an effect on the ragator or other routines.

The type of output I get is:

     Last_Time       Type     SrcAddr    Sport  Dir       DstAddr Dport  SrcPkt   Dstpkt    SrcBytes     DstBytes   State
11 Jun 01 19:03:56    tcp   212.204.xxx.0        ->       213.84.zz.0       4234     0         5297928      0           FIN

What's peculiar is that as you can see it's only showing data for half
of the conversation.  Elsewhere I have traffic reported as:

     Last_Time       Type     SrcAddr    Sport  Dir       DstAddr Dport  SrcPkt   Dstpkt    SrcBytes     DstBytes   State
11 Jun 01 22:28:10    tcp     213.84.uu.0        ->       207.46.qq.0       0        1794      0            1891673     RST

But it doesn't combine src and dst together...perhaps that's normal.

> So you may get multiple records per day for the same matrix
> entry, if there is overflow.

Okay.   Thanks.

One thing I haven't tried is performing an hourly analysis and combining
the data; perhaps the problem is in reading 24 argus data files in at
once to do the ragator...

I'll experiment a bit more.

Scott