Strange timerange behavior

Mark Poepping poepping at cmu.edu
Sun Dec 29 10:27:33 EST 2002 

The timerange stuff was originally written for forensics, not time-based
accounting, so its intent was to select any flow that *intersects* with the
given timerange.  If you issue two queries with abutting time intervals (e.g.
16:01-17:00, and 17:01-18:00), any flow that spans 17:00-17:01 will be
reported in both queries.  Remember that the exporting of information on
active flows is discrete based on the reporting interval, so you can't query
for all activity in arbitrary time intervals.  As I recall, you can adjust the
reporting interval to approximate continuity, but there are performance and
report aggregation ramifications of pushing that to an extreme (worthy of
experimentation in most everyone's case).  In fact, we've found it useful to
experiment simultaneously with several probes using different policy to
investigate the tradeoffs and relative value.

Mark.


> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu [mailto:owner-argus-
> info at lists.andrew.cmu.edu] On Behalf Of Ingo Theiss
> Sent: Sunday, December 29, 2002 4:56 AM
> To: argus-info at lists.andrew.cmu.edu
> Subject: Strange timerange behavior
> 
> Hello erverybody,
> 
> I am quite new to argus but quickly warming up to that great project.
> I´ve got argus working and collecting data on my system for about two
> days and started analysing the results. Thats where my problem starts.
> 
> I am using the timerang option to get results for e.g. 1 hour and 1
> second, but the is a strange behavior or better result when I execute
> the following command:
> 
> ra -t 2002/12/29.07:15:01 - 2002/12/29.07:16:01 -r argus.log
> 
> The Output doesn´t start at "07:15:01" but end correctly at "07:16:01".
> The results start somewhere near "07:14" and I am not able to get an
> exact range of one minute. The same happens when I try to get one
> second, the result contains more than one second.
> 
> Have I mussunderstood the usage of timerange? Or is it a bug?
> 
> Here is an example output:
> 
> ra -t 2002/12/29.07:15:15 - 2002/12/29.07:16:15 -r ra.log.5
> 
>     Start_Time     Duration  Flgs  Type     SrcAddr    Sport  Dir
> DstAddr    Dport  SrcPkt   Dstpkt    SrcBytes     DstBytes   State
> 02-12-29 07:14:15       59          arp    81.2.161.254     who-has
> 81.2.161.244       164      0         9840         0           INT
> 02-12-29 07:14:15       59          arp    81.2.161.254     who-has
> 81.2.161.69       106      0         6360         0
> ...
> 02-12-29 07:16:12        0          udp    81.2.131.188.52977 <->
> 81.2.139.58.53    1        1         82           177         ACC
> 02-12-29 07:16:14        0          udp    81.2.131.188.52977 <->
> 81.2.139.58.53    1        1         85           149         ACC
> 02-12-29 07:16:14        0          udp    81.2.131.188.52977 <->
> 81.2.139.58.53    1        1         107          171         ACC
> 02-12-29 07:16:14        0          udp    81.2.131.188.52977 <->
> 81.2.139.58.53    1        1         85           150         ACC
> 02-12-29 07:16:14        0          udp    81.2.131.188.52977 <->
> 81.2.139.58.53    1        1         82           177         ACC
> 02-12-29 07:16:14        0          udp    81.2.131.188.52977 <->
> 81.2.139.58.53    1        1         82           177         ACC
> 
> 
> Thank you in advice!
> 
> Regards
> 
> Ingo
> 
> 
>

More information about the argus mailing list