packet size descrepency

[Carter Bullard]

Hey Andrew,
   Just a note.  Argus data and RMON data are quite
different.  One is flow data, and the other is interface
data.  Flow data represents the metrics between two IP
addrs, interface data are in and out stats at an arbitrary
point along a path.  Completely different semantics.
As a result, be sure when comparing RMON data (interface data)
that you use tools like ramon() to generate the counters.

   When you get to the point of generating the comparisons,
if you have any problems, just send mail.

Hope all is well,

Carter


> -----Original Message-----
> From: Andrew Pollock [mailto:andrew at andrew.net.au] 
> Sent: Sunday, November 10, 2002 6:39 PM
> To: Carter Bullard
> Cc: 'Andrew Pollock'; 'Matthew Melvin'; 
> argus-info at lists.andrew.cmu.edu
> Subject: Re: packet size descrepency
> 
> 
> On Sun, Nov 10, 2002 at 08:16:41AM -0500, Carter Bullard wrote:
> > Hey Andrew,
> >    Depending on where you get the counters, i.e. RMON
> > MIB, etc..., you should get total bytes on the wire,
> > which is what Argus is doing.
> > 
> >    You said you got markedly different numbers
> > between argus and the switch?  How did you generate
> > the numbers for comparison?
> 
> We were using a product called TraffAcct, which basically does SNMP
> polling of SNMP capable devices and stores the deltas on the 
> interfaces
> counters from the last time it was run. I did have some 
> confidence issues
> with the regularity it was running, so I don't overly trust 
> it. I've fixed
> it up a bit, so by the end of this month I should be able to compare a
> full month of Argus data against a full month of TraffAcct data.
>  
> > Carter
> >  
> > 
> > > -----Original Message-----
> > > From: owner-argus-info at lists.andrew.cmu.edu 
> > > [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of 
> > > Andrew Pollock
> > > Sent: Sunday, November 10, 2002 6:12 AM
> > > To: Carter Bullard
> > > Cc: 'Matthew Melvin'; argus-info at lists.andrew.cmu.edu
> > > Subject: Re: packet size descrepency
> > > 
> > > 
> > > On Sat, Nov 09, 2002 at 09:39:06AM -0500, Carter Bullard wrote:
> > > > Hey Matthew,
> > > >    Your absolutely correct, in that argus counts total
> > > > bytes seen, regardless of the ARGUS_GENERATE_MAC_DATA 
> > > variable.  Seems 
> > > > like this is the right behavior, so that argus 
> generates consistent 
> > > > data.
> > > > 
> > > >    Do you consider this a discrepancy?  We could
> > > > change the name of the variable to ARGUS_INCLUDE_MAC_DATA?
> > > 
> > > Do you know offhand what switches tend to count? We swapped 
> > > from switch 
> > > interface accounting to using Argus, and got markedly 
> > > different results. 
> > > This could possibly explain why.
> > > 
> > > > > -----Original Message-----
> > > > > From: owner-argus-info at lists.andrew.cmu.edu
> > > > > [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of 
> > > > > Matthew Melvin
> > > > > Sent: Saturday, November 09, 2002 7:50 AM
> > > > > To: argus-info at lists.andrew.cmu.edu
> > > > > Subject: packet size descrepency
> > > > > 
> > > > > 
> > > > > 
> > > > > I've been tinkering with argus over the last couple of days
> > > > > for using argus
> > > > > for traffic accounting.  To try and check myself and make 
> > > > > sure I'm getting
> > > > > sane numbers I've been comparing racount's view or things 
> > > > > with ipchains view
> > > > > of things.  It seems as if for every packet counted argus see 
> > > > > 14 extra bytes
> > > > > that ipchains doesn't.  That would seem consistant with argus 
> > > > > including the
> > > > > src and dst mac's and length/type fields from the ethernet 
> > > > > packet in its
> > > > > total byte count.  Does that mean that 
> > > > > 'ARGUS_GENERATE_MAC_DATA=no' only
> > > > > turns off the recording of MAC information not the counting 
> > > > > of it.  Or am I
> > > > > completly on the wrong track?
> > > > > 
> > > > > M.
> > > > > 
> > > > > --
> > > > > :wq
> > > > > 
> > > > > 
> > > > > 
> > > > 
> > > 
> > 
>