racount and src/dst byte counts

[Desmond Irvine]

I'm trying to wrap my head around what the src/dst byte counts mean when
doing an racount on a particular host.  I have a machine that I suspect
is using a large amount of bandwidth so I decided to look at what it was
doing with argus:

racount -n -r argus - host 142.55.aa.bb

racount    records       total_pkts         src_pkts        dst_pkts      total_bytes        src_bytes        dst_bytes
    sum         28           245427            81899          163528        181195205          4917335        176277870

ra -n -r argus - host 142.55.aa.bb

shows connectivity mainly from one remote host 199.212.cc.dd

racount -n -r argus - host 199.212.cc.dd

racount    records       total_pkts         src_pkts        dst_pkts      total_bytes        src_bytes        dst_bytes
    sum         16           245290            81830          163460        181180324          4909808        176270516

ra -n -r argus - host 199.212.cc.dd

shows only connections to the one local machine 142.55.aa.bb

What confuses me is the dst_bytes values - they're both pretty much
the same for each machine.  Shouldn't one list the total under
src_bytes and the other under dst_bytes?

Looking via another tool (ntop) shows the local machine sending the
data to the remote machine.

Desmond.

-- 
Desmond Irvine                Security Analyst, Information Technology
Sheridan College              Phone: 905-845-9430 x2035
1430 Trafalgar Road           Fax: 905-815-4011
Oakville, ON  L6H 2L1         EMail: desmond.irvine at sheridanc.on.ca