racount and src/dst byte counts

Carter Bullard carter at qosient.com
Wed Sep 26 12:14:35 EDT 2001 

Hey Desmond,
   So the record is saying that 199.212.cc.dd initiated the
TCP connection, the "->" is saying that argus saw the SYN
coming from 199.212.cc.dd and EST is saying that argus is
sending a status record, the TCP is still open but here is
an update on the progress of the connection.  You should
get one of these every 60 seconds by default, if the connection
is still on going.

   199.212.cc.dd is the client and 142.55.aa.bb is the server,
and 6891 is the service port.

   Now none of this will indicate what the load will be.
Does the service move data to the server or from the server?
That's up to the protocol and the service that is running.
>From your mail, I don't know what the situation is with
racount, as you didn't send its output.  A way to test this
situation and possibly clear up any confusion you may have
is to filter out just the records that seem puzzling and
write them to a temporary file.  If this particular TCP
connection is a concern, capture all the records that relate
to this single TCP connection.

   ra -r file -w /tmp/ra.out tcp and src host 199.212.cc.dd \
      and dst host 142.55.aa.bb and src port 32862 and dst port 6891

This should result in a file of records that all relate to
the single TCP connection that spans a length of time.

print out the contents to make sure it makes sense:
   ra -ncr /tmp/ra.out

If you've got them all, you should see most have an 'EST' at
the end and a 'FIN' or 'CLO' should be somewhere at the end,
if you actually captured all the records.

Take this file and run ragator on it:
   ragator -ncr /tmp/ra.out

and compare ragator's output with racount's
   racount -r /tmp/ra.out

They should be the same.  Doing this may help you to
see what is going on with the records.
If you want labels for the columns, run ra and ragator with
the "-L 0" option (print only one label at the beginning).

I hope this helps!
Carter



   

> -----Original Message-----
> From: Desmond Irvine [mailto:desmond.irvine at sheridanc.on.ca] 
> Sent: Wednesday, September 26, 2001 11:46 AM
> To: carter at qosient.com
> Cc: argus-info at lists.andrew.cmu.edu
> Subject: Re: racount and src/dst byte counts
> 
> 
> How does racount decide which side (src or dst) to add the bytes to?
> The transaction I was looking at was from what I suspect is some sort
> of peer to peer file sharing tool.  ra listed a bunch of connections
> of the form:
> 
> 25 Sep 01 13:59:07    tcp  199.212.cc.dd.32862  ->    
> 142.55.aa.bb.6891  EST
> 
> >From this I would assume the flow was from the external 
> machine to the
> local machine so I expected racount for the local machine to show the
> larger amount of bytes on the dst side and the external 
> machine to show
> it on the src side.  Regardless of what racount considered src and dst
> I expect only one machine to be considered the dst; racount 
> showing both
> on the dst side doesn't seem to make sense to me.
>

More information about the argus mailing list