packet size descrepency
Andrew Pollock
andrew-argus at andrew.net.au
Sun Nov 10 06:11:30 EST 2002
On Sat, Nov 09, 2002 at 09:39:06AM -0500, Carter Bullard wrote:
> Hey Matthew,
> Your absolutely correct, in that argus counts total
> bytes seen, regardless of the ARGUS_GENERATE_MAC_DATA
> variable. Seems like this is the right behavior, so
> that argus generates consistent data.
>
> Do you consider this a discrepancy? We could
> change the name of the variable to ARGUS_INCLUDE_MAC_DATA?
Do you know offhand what switches tend to count? We swapped from switch
interface accounting to using Argus, and got markedly different results.
This could possibly explain why.
> > -----Original Message-----
> > From: owner-argus-info at lists.andrew.cmu.edu
> > [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of
> > Matthew Melvin
> > Sent: Saturday, November 09, 2002 7:50 AM
> > To: argus-info at lists.andrew.cmu.edu
> > Subject: packet size descrepency
> >
> >
> >
> > I've been tinkering with argus over the last couple of days
> > for using argus
> > for traffic accounting. To try and check myself and make
> > sure I'm getting
> > sane numbers I've been comparing racount's view or things
> > with ipchains view
> > of things. It seems as if for every packet counted argus see
> > 14 extra bytes
> > that ipchains doesn't. That would seem consistant with argus
> > including the
> > src and dst mac's and length/type fields from the ethernet
> > packet in its
> > total byte count. Does that mean that
> > 'ARGUS_GENERATE_MAC_DATA=no' only
> > turns off the recording of MAC information not the counting
> > of it. Or am I
> > completly on the wrong track?
> >
> > M.
> >
> > --
> > :wq
> >
> >
> >
>
More information about the argus
mailing list