Time range problems

Carter Bullard carter at qosient.com
Tue Oct 29 16:45:27 EST 2002 

Hey Gilson,
The time range filter will match any record where
its time range intersects the range given, so yes
one record can belong to any number of arbitrary time
ranges.  Your first record starts and stops on
arbitrary boundaries.

> 2002-10-29 16:21:10.460000       59.020000   tcp ...

spans 16:21:10.46 - 16:22:09.48.  So if you ask for
any records that match 16:21-16:22, this record definitely
belongs to that set, since 48 seconds of the record are
in this range.  It also matches the 16:22-16:23 set since
it has 9.48 seconds in this range.

What you need is a program that splits your records
into hard time boundaries that coincide with your
boundaries of interest, distributing the bytes and
packets accordingly.

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 588-9133
Fax   +1 212 588-9134
http://qosient.com
 

> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu 
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of 
> Gilson Soares
> Sent: Tuesday, October 29, 2002 4:00 PM
> To: argus-info at lists.andrew.cmu.edu
> Subject: Time range problems
> 
> 
> Hello
> 
> I need to produce some statistics every 15 minutes. So I 
> decided to gather 
> thoses values using "-t" parameter (timerange).
> After some tests, I notice that some flows (long connections) 
> are being 
> repeated from one interval to another.
> 
> To assure about these problem (problem?), I recreated in a controlled 
> environment (except using an interval of 1 minute).
> 
> One Linux box (10.0.1.240) with argus  connecting to another 
> Linux box 
> (10.0.1.10) via ssh, executing "ping -c 210 127.0.0.1" (about 
> 210 seconds) 
> and exiting.
> 
> Linux box: Red Hat 7.2 with argus 2.0.5
> --- argus.conf ---
> ARGUS_DAEMON=no
> ARGUS_MAX_INSTANCES=1
> ARGUS_SET_PID=yes
> ARGUS_PID_FILENAME=/var/run/argus.pid
> ARGUS_MONITOR_ID=`hostname`
> ARGUS_ACCESS_PORT=561
> ARGUS_BIND_IP="127.0.0.1"
> ARGUS_INTERFACE=eth0
> ARGUS_OUTPUT_FILE=/var/log/argus/argus.out
> ARGUS_GO_PROMISCUOUS=no
> ARGUS_FLOW_STATUS_INTERVAL=60
> ARGUS_MAR_STATUS_INTERVAL=60 ARGUS_GENERATE_RESPONSE_TIME_DATA=yes
> ARGUS_GENERATE_JITTER_DATA=yes
> ARGUS_GENERATE_MAC_DATA=yes
> ARGUS_CAPTURE_DATA_LEN=0
> ARGUS_FILTER_OPTIMIZER=yes
> ARGUS_FILTER=""
> -------------------------------------------
> --- ra.conf ---
> RA_ARGUS_SERVER=localhost
> RA_ARGUS_SERVERPORT=561
> RA_USER_AUTH=""
> RA_AUTH_PASS=""
> RA_OUTPUT_FILE=""
> RA_TIMERANGE=""
> RA_RUN_TIME=0
> RA_FIELD_DELIMITER=''
> RA_PRINT_SUMMARY=no
> RA_PRINT_ARGUSID=no
> RA_PRINT_MACADDRS=no
> RA_PRINT_INDICATORS=no
> RA_PRINT_HOSTNAMES=no
> RA_PRINT_COUNTS=yes
> RA_PRINT_RESPONSE_DATA=no
> RA_PRINT_UNIX_TIME=no
> RA_TIME_FORMAT="%Y-%m-%d %T"
> RA_PRINT_STARTIME=yes
> RA_PRINT_LASTIME=no
> RA_PRINT_DURATION=yes
> RA_USEC_PRECISION=6
> RA_USERDATA_ENCODE=Ascii
> RA_DEBUG_LEVEL=0
> RA_FILTER=""
> RA_HOST_FIELD_LENGTH=28
> RA_PORT_FIELD_LENGTH=10
> -------------------------------------------
> 
> So, follow this executions:
> 
> $ ra -r /var/log/argus/argus.out - tcp and port 22
> 2002-10-29 
> 16:20:10.180000       59.280000   tcp       10.0.1.240.1587   -> 
> 10.0.1.10.22
> 2002-10-29 16:21:10.460000       59.020000   tcp ...
> 2002-10-29 16:22:10.480000       59.020000   tcp ...
> 2002-10-29 16:23:10.500000       31.070000   tcp ...
> 
> $ ragator -r /var/log/argus/argus.out - tcp and port 22
> 2002-10-29 16:20:10.180000      211.390000   tcp ...
> 
> The flow time is correct: 211.39. 210 seconds for ping plus 
> connection/disconnection time.
> 
> BUT if I ask using timerange parameter, look:
> 
> $ ra -t 2002/10/29.16:20:00-2002/10/29.16:20:59 ...
> 2002-10-29 16:20:10.180000       59.280000   tcp ...
> ### It's ok
> 
> $ ra -t 2002/10/29.16:21:00-2002/10/29.16:21:59 ...
> 2002-10-29 16:20:10.180000       59.280000   tcp ...
> 2002-10-29 16:21:10.460000       59.020000   tcp ...
> ### the first flow is repeated. It already appeared in timerange 
> 16:20:00-16:20:59
> 
> $ ra -t 2002/10/29.16:22:00-2002/10/29.16:22:59 ...
> 2002-10-29 16:21:10.460000       59.020000   tcp ...
> 2002-10-29 16:22:10.480000       59.020000   tcp ...
> ### the first flow is repeated. It already appeared in timerange 
> 16:21:00-16:21:59
> 
> $ ra -t 2002/10/29.16:23:00-2002/10/29.16:23:59
> 2002-10-29 16:22:10.480000       59.020000   tcp ...
> 2002-10-29 16:23:10.500000       31.070000   tcp ...
> ### the first flow is repeated. It already appeared in timerange 
> 16:22:00-16:22:59
> ### the last one it's ok.
> 
> $ ra -t 2002/10/29.16:24:00-2002/10/29.16:24:59
> <nothing>
> ### It's ok.
> 
> If I sum all durations from all time ranges, 385,71, it's 
> totally wrong 
> (correct 211.39). These differences also applies to SRCPKTS, DSTPKTS, 
> SRCBYTES and DSTBYTE (will be almost the double).
> 
> The same problem applies if the time range is higher (for 
> example 10 or 15 
> minutes).
> 
> Any ideas ?
> Do I missed something ?
> 
> -Gilson 
> 
>

More information about the argus mailing list