packet size descrepency

Carter Bullard carter at qosient.com
Sun Nov 10 08:16:41 EST 2002 

Hey Andrew,
   Depending on where you get the counters, i.e. RMON
MIB, etc..., you should get total bytes on the wire,
which is what Argus is doing.

   You said you got markedly different numbers
between argus and the switch?  How did you generate
the numbers for comparison?

Carter
 

> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu 
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of 
> Andrew Pollock
> Sent: Sunday, November 10, 2002 6:12 AM
> To: Carter Bullard
> Cc: 'Matthew Melvin'; argus-info at lists.andrew.cmu.edu
> Subject: Re: packet size descrepency
> 
> 
> On Sat, Nov 09, 2002 at 09:39:06AM -0500, Carter Bullard wrote:
> > Hey Matthew,
> >    Your absolutely correct, in that argus counts total
> > bytes seen, regardless of the ARGUS_GENERATE_MAC_DATA 
> variable.  Seems 
> > like this is the right behavior, so that argus generates consistent 
> > data.
> > 
> >    Do you consider this a discrepancy?  We could
> > change the name of the variable to ARGUS_INCLUDE_MAC_DATA?
> 
> Do you know offhand what switches tend to count? We swapped 
> from switch 
> interface accounting to using Argus, and got markedly 
> different results. 
> This could possibly explain why.
> 
> > > -----Original Message-----
> > > From: owner-argus-info at lists.andrew.cmu.edu
> > > [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of 
> > > Matthew Melvin
> > > Sent: Saturday, November 09, 2002 7:50 AM
> > > To: argus-info at lists.andrew.cmu.edu
> > > Subject: packet size descrepency
> > > 
> > > 
> > > 
> > > I've been tinkering with argus over the last couple of days
> > > for using argus
> > > for traffic accounting.  To try and check myself and make 
> > > sure I'm getting
> > > sane numbers I've been comparing racount's view or things 
> > > with ipchains view
> > > of things.  It seems as if for every packet counted argus see 
> > > 14 extra bytes
> > > that ipchains doesn't.  That would seem consistant with argus 
> > > including the
> > > src and dst mac's and length/type fields from the ethernet 
> > > packet in its
> > > total byte count.  Does that mean that 
> > > 'ARGUS_GENERATE_MAC_DATA=no' only
> > > turns off the recording of MAC information not the counting 
> > > of it.  Or am I
> > > completly on the wrong track?
> > > 
> > > M.
> > > 
> > > --
> > > :wq
> > > 
> > > 
> > > 
> > 
>

More information about the argus mailing list