argus records

[Carter Bullard]

Hey Mukesh,
The answers to what all the fields mean are scattered
around, and there is a word document that describes them,
but its out of date.  I was hoping that they were all
self explanatory ;o)  Let me answer your specific questions,
and then I'm headed for breakfast.

If we do this enough, we'll get all the field described, 
so please keep those questions coming!

The bytes fields that are in the <Metrics> tag are all
derived from the length of the packet received on the wire.
The bytes fields that are in the <Extended TCP Metrics> tag
are all derived from the TCP headers, so there can be some
discrepancies, although they should be minor.

The AppBytes fields contain the number of bytes above the
transport layer for this flow, so its basically
(totalbytes - (MACHdr + IP_Hdr + TransHdr)).

The TcpByte field is the number of bytes declared in the
TCP header minus the TCP header length (TCPLen - TCPHdrLen).

The TcpAckBytes are the actual number of bytes acknowledged
by the receiver, so they are successful transported bytes.


AppBytes should always be equal to than TcpBytes (+-1), if all
the packets are seen by the Argus, and both should be greater than
TCPAckBytes, at least in theory, but there are situations where
these rules don't apply.  This is because the TCPByte and AppByte
values are derived from independent length counters in different
parts of the packet, which don't have to be correct (especially
in attack scenarios where they are off on purpose).  And there
are situation where TCPAckBytes may seem completely wrong, compared
to the others, because it is a relative to the other sides base
sequence number, so when there is packet loss, or asymmetric
routing conditions, this number can be somewhat off, compared
to the others.

Under normal conditions, that is when Argus sees all the important
control packets, (when the TCP direction indicator is "->"),
AppBytes and TcpBytes will be greater than TcpAckBytes when there
are TCP retransmissions.  There are situations where there are
packet retransmissions reported but these values are equal.  That,
of course, is when the retransmissions are control packets, like
multiple SYN's to get the connecting, or when the packet loss
occurs somewhere before the data is received by the Argus.

The value (AppBytes - TcpBytes) should be the actual number of
retransmitted user bytes, and you should be able to calculate the
efficiency of your TCP from these values.

If you see something other than this, please send more mail.
I've had good luck with these values, but if you're seeing
something else, there may be a bug.

When you use programs like ragator(), which merge records
together, the resulting records can have AGRegation
Data Specific records included, to provide the number of
records that were merged (Trans), and some basic statistics
about the average duration of the records that were merged
and the average time between record start times.  This is
so you can get some understanding as to what contributed
to this aggregated Argus record.

So, as an example, if you had all the Argus records for
the ping transactions between host A and B, and you merged
them together using ragator() with your own modeling file,
the single Argus record that is generated will contain
an AGR record which will contain the average RTT, and the
average time between ping attempts.

Hope this helps, I know that the documentation is less
than adequate, but we'll get there eventually.  If you have
an interest in contributing, this would be a great place
to spend some time!

Thanks for the interest in Argus,

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 588-9133
Fax   +1 212 588-9134
http://qosient.com



> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu 
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of 
> mukesh agrawal
> Sent: Friday, April 05, 2002 10:52 PM
> To: argus-info at lists.andrew.cmu.edu
> Subject: argus records
> 
> 
> 
> Hi,
> 
> I'm trying to understand some Argus dump files that I have. 
> I've looked at
> the web site and through the mailing list archives, but 
> couldn't find the
> answer to my question.
> 
> I'm looking at flows that were captured with argus, and 
> converted to XML
> with raxml. The specific question I have is "what does the
> ArgusFlowRecord.Metrics.SrcAppBytes field mean?"
> 
> The reason I ask is that I have some flows in my capture for which the
> SrcAppBytes value is greater than the
> ArgusFlowRecord.ExtFlow.TcpExtMetrics.SrcTcpBytes value (and 
> similarly for
> DstAppBytes and DstTcpBytes). It isn't clear to me what to 
> make of such
> records.
> 
> A second question is what the meaning of the
> Metrics.ArgusAgrData.Count.{Packet,Transaction} fields are.
> 
> Or a more general question: is there documentation on what 
> the fields in
> the Argus records mean?
> 
> Thanks.
> 
> 
> 
>