Time range problems

Gilson Soares g.soares at datacraft.com.br
Tue Oct 29 15:59:39 EST 2002 

Hello

I need to produce some statistics every 15 minutes. So I decided to gather 
thoses values using "-t" parameter (timerange).
After some tests, I notice that some flows (long connections) are being 
repeated from one interval to another.

To assure about these problem (problem?), I recreated in a controlled 
environment (except using an interval of 1 minute).

One Linux box (10.0.1.240) with argus  connecting to another Linux box 
(10.0.1.10) via ssh, executing "ping -c 210 127.0.0.1" (about 210 seconds) 
and exiting.

Linux box: Red Hat 7.2 with argus 2.0.5
--- argus.conf ---
ARGUS_DAEMON=no
ARGUS_MAX_INSTANCES=1
ARGUS_SET_PID=yes
ARGUS_PID_FILENAME=/var/run/argus.pid
ARGUS_MONITOR_ID=`hostname`
ARGUS_ACCESS_PORT=561
ARGUS_BIND_IP="127.0.0.1"
ARGUS_INTERFACE=eth0
ARGUS_OUTPUT_FILE=/var/log/argus/argus.out
ARGUS_GO_PROMISCUOUS=no
ARGUS_FLOW_STATUS_INTERVAL=60
ARGUS_MAR_STATUS_INTERVAL=60
ARGUS_GENERATE_RESPONSE_TIME_DATA=yes
ARGUS_GENERATE_JITTER_DATA=yes
ARGUS_GENERATE_MAC_DATA=yes
ARGUS_CAPTURE_DATA_LEN=0
ARGUS_FILTER_OPTIMIZER=yes
ARGUS_FILTER=""
-------------------------------------------
--- ra.conf ---
RA_ARGUS_SERVER=localhost
RA_ARGUS_SERVERPORT=561
RA_USER_AUTH=""
RA_AUTH_PASS=""
RA_OUTPUT_FILE=""
RA_TIMERANGE=""
RA_RUN_TIME=0
RA_FIELD_DELIMITER=''
RA_PRINT_SUMMARY=no
RA_PRINT_ARGUSID=no
RA_PRINT_MACADDRS=no
RA_PRINT_INDICATORS=no
RA_PRINT_HOSTNAMES=no
RA_PRINT_COUNTS=yes
RA_PRINT_RESPONSE_DATA=no
RA_PRINT_UNIX_TIME=no
RA_TIME_FORMAT="%Y-%m-%d %T"
RA_PRINT_STARTIME=yes
RA_PRINT_LASTIME=no
RA_PRINT_DURATION=yes
RA_USEC_PRECISION=6
RA_USERDATA_ENCODE=Ascii
RA_DEBUG_LEVEL=0
RA_FILTER=""
RA_HOST_FIELD_LENGTH=28
RA_PORT_FIELD_LENGTH=10
-------------------------------------------

So, follow this executions:

$ ra -r /var/log/argus/argus.out - tcp and port 22
2002-10-29 
16:20:10.180000       59.280000   tcp       10.0.1.240.1587   -> 
10.0.1.10.22
2002-10-29 16:21:10.460000       59.020000   tcp ...
2002-10-29 16:22:10.480000       59.020000   tcp ...
2002-10-29 16:23:10.500000       31.070000   tcp ...

$ ragator -r /var/log/argus/argus.out - tcp and port 22
2002-10-29 16:20:10.180000      211.390000   tcp ...

The flow time is correct: 211.39. 210 seconds for ping plus 
connection/disconnection time.

BUT if I ask using timerange parameter, look:

$ ra -t 2002/10/29.16:20:00-2002/10/29.16:20:59 ...
2002-10-29 16:20:10.180000       59.280000   tcp ...
### It's ok

$ ra -t 2002/10/29.16:21:00-2002/10/29.16:21:59 ...
2002-10-29 16:20:10.180000       59.280000   tcp ...
2002-10-29 16:21:10.460000       59.020000   tcp ...
### the first flow is repeated. It already appeared in timerange 
16:20:00-16:20:59

$ ra -t 2002/10/29.16:22:00-2002/10/29.16:22:59 ...
2002-10-29 16:21:10.460000       59.020000   tcp ...
2002-10-29 16:22:10.480000       59.020000   tcp ...
### the first flow is repeated. It already appeared in timerange 
16:21:00-16:21:59

$ ra -t 2002/10/29.16:23:00-2002/10/29.16:23:59
2002-10-29 16:22:10.480000       59.020000   tcp ...
2002-10-29 16:23:10.500000       31.070000   tcp ...
### the first flow is repeated. It already appeared in timerange 
16:22:00-16:22:59
### the last one it's ok.

$ ra -t 2002/10/29.16:24:00-2002/10/29.16:24:59
<nothing>
### It's ok.

If I sum all durations from all time ranges, 385,71, it's totally wrong 
(correct 211.39). These differences also applies to SRCPKTS, DSTPKTS, 
SRCBYTES and DSTBYTE (will be almost the double).

The same problem applies if the time range is higher (for example 10 or 15 
minutes).

Any ideas ?
Do I missed something ?

-Gilson

More information about the argus mailing list