argus to tcpdump conversion

Carter Bullard carter at qosient.com
Thu Jun 14 17:17:47 EDT 2001 

One way to test to see if ragator is doing the right
thing is to pipe the output to racount().  Comparing
the native file counts with the aggregated stream counts
is very helpful.  If the byte and packet totals are the
same, then things are working, just not as you suspect.

racount -r file*
ragator -r file* -w - | racount
ragator -f conf -r file* -w - | racount


You're records don't necessarily show that you've got
both halves of the connection being reported.  At CMU
we had some problems getting the interfaces set up
properly on RH 7.x.  Are you reading from two independent
interfaces or are you using the "any" interface?

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 588-9133
Fax   +1 212 588-9134
http://qosient.com

-----Original Message-----
From: Scott A. McIntyre [mailto:scott at xs4all.nl] 
Sent: Thursday, June 14, 2001 12:16 PM
To: Carter Bullard
Cc: argus-info at lists.andrew.cmu.edu
Subject: Re: argus to tcpdump conversion


Greetings,

>    Hmmmm, this should work fine.  If not, we should fix it
> so that it does work.  This filter should generate a class
> C address matrix broken out by protocol.  This works for
> me all the time no problem.

Right, that's what I thought it would do too.

> So you expect more or less than 600 output records?

Many many more.  The address ranges covered are thousands of nodes on
one side spending a day looking "The Internet" -- I would expect a lot
more than just 600 output records.

History: we're trying to use the argus data to develop peering
strategies.  Once we've gotten the /24's sorted out, we can compare with
a list of AS numbers and work out the appropriate contracts.

I don't know if it matters, but the box that gathers this data has two
interfaces, argus works from this just fine, of course, but I don't know
if it has an effect on the ragator or other routines.

The type of output I get is:

     Last_Time       Type     SrcAddr    Sport  Dir       DstAddr Dport
SrcPkt   Dstpkt    SrcBytes     DstBytes   State
11 Jun 01 19:03:56    tcp   212.204.xxx.0        ->       213.84.zz.0
4234     0         5297928      0           FIN

What's peculiar is that as you can see it's only showing data for half
of the conversation.  Elsewhere I have traffic reported as:

     Last_Time       Type     SrcAddr    Sport  Dir       DstAddr Dport
SrcPkt   Dstpkt    SrcBytes     DstBytes   State
11 Jun 01 22:28:10    tcp     213.84.uu.0        ->       207.46.qq.0
0        1794      0            1891673     RST

But it doesn't combine src and dst together...perhaps that's normal.


> So you may get multiple records per day for the same matrix entry, if 
> there is overflow.

Okay.   Thanks.

One thing I haven't tried is performing an hourly analysis and combining
the data; perhaps the problem is in reading 24 argus data files in at
once to do the ragator...

I'll experiment a bit more.

Scott

More information about the argus mailing list