Strange timerange behavior

Carter Bullard carter at qosient.com
Mon Dec 30 11:10:02 EST 2002 

Hey Ingo,
   Mark is right!  The problem is that a single argus record
can span a variable length of time, from uSecs to hours, which
doesn't have to correspond to any range that can be specified
in the command line time filter.  So, we chose a strategy
where you get all records that have activity during the time
range specified.  This includes records that start prior to
the range and end either during or after the range, start
during and end either during or after the time range in the
filter.  Basically, as Mark said, anything whose start and
end times intersect with the time range specified.

   Using raxml() to view the start and last times of the
argus records that are selected using the time range filter
should help you to see how this works.

Carter



> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu 
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of 
> Ingo Theiss
> Sent: Sunday, December 29, 2002 4:56 AM
> To: argus-info at lists.andrew.cmu.edu
> Subject: Strange timerange behavior
> 
> 
> Hello erverybody,
> 
> I am quite new to argus but quickly warming up to that great 
> project. I´ve got argus working and collecting data on my 
> system for about two days and started analysing the results. 
> Thats where my problem starts.
> 
> I am using the timerang option to get results for e.g. 1 hour 
> and 1 second, but the is a strange behavior or better result 
> when I execute the following command:
> 
> ra -t 2002/12/29.07:15:01 - 2002/12/29.07:16:01 -r argus.log
> 
> The Output doesn´t start at "07:15:01" but end correctly at 
> "07:16:01". The results start somewhere near "07:14" and I am 
> not able to get an exact range of one minute. The same 
> happens when I try to get one second, the result contains 
> more than one second.
> 
> Have I mussunderstood the usage of timerange? Or is it a bug?
> 
> Here is an example output:
> 
> ra -t 2002/12/29.07:15:15 - 2002/12/29.07:16:15 -r ra.log.5 
>  
>     Start_Time     Duration  Flgs  Type     SrcAddr    Sport  Dir
> DstAddr    Dport  SrcPkt   Dstpkt    SrcBytes     DstBytes   State
> 02-12-29 07:14:15       59          arp    81.2.161.254     who-has
> 81.2.161.244       164      0         9840         0           INT
> 02-12-29 07:14:15       59          arp    81.2.161.254     who-has
> 81.2.161.69       106      0         6360         0  
> ...
> 02-12-29 07:16:12        0          udp    81.2.131.188.52977 <->
> 81.2.139.58.53    1        1         82           177         ACC
> 02-12-29 07:16:14        0          udp    81.2.131.188.52977 <->
> 81.2.139.58.53    1        1         85           149         ACC
> 02-12-29 07:16:14        0          udp    81.2.131.188.52977 <->
> 81.2.139.58.53    1        1         107          171         ACC
> 02-12-29 07:16:14        0          udp    81.2.131.188.52977 <->
> 81.2.139.58.53    1        1         85           150         ACC
> 02-12-29 07:16:14        0          udp    81.2.131.188.52977 <->
> 81.2.139.58.53    1        1         82           177         ACC
> 02-12-29 07:16:14        0          udp    81.2.131.188.52977 <->
> 81.2.139.58.53    1        1         82           177         ACC
> 
> 
> Thank you in advice!
> 
> Regards 
> 
> Ingo
> 
> 
> 
>

More information about the argus mailing list