ragator

Carter Bullard carter at qosient.com
Wed Apr 2 08:43:19 EST 2003 

Hey Andrew,
   ragator() can correct argus's determination of
direction if needed, and so you'll get some shifting
of source and destination semantics.  The total is
the key to assuring that ragator() isn't throwing
something away.

   As an example, if you have a telnet connection
from A -> B, and you go to lunch, argus will drop
the connection from its cache.  When you come back
and type a character, the connection, from argus's
perspective, will be a new connection, but without
the SYN <-> SYNACK exchange it won't know what the
actual direction is.  So, in this case, it is
possible for a single flow to have multiple records
with the flow identifiers flipping from record
to record.

   Ragator corrects this problem by identifying the
condition and normalizing the data.

Carter





> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu 
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of 
> Andrew Pollock
> Sent: Wednesday, April 02, 2003 12:17 AM
> To: argus-info at lists.andrew.cmu.edu
> Subject: ragator
> 
> 
> Carter,
> 
> My understanding of ragator when used without a flowfile is 
> that it'll 
> just aggregate multiple records for the same flow into one, 
> where it can.
> 
> Is this correct?
> 
> I was looking at a month's worth of logs for a client today, and with 
> racount, it said:
> 
> racount    records       total_pkts         src_pkts         
> dst_pkts      
> total_bytes        src_bytes        dst_bytes
>     sum    4339943        430446602        284435604        
> 146010998     
> 118126342743      53028657986      65097684757
> 
> When I ran it through ragator first, I got:
> 
> racount    records       total_pkts         src_pkts         
> dst_pkts      
> total_bytes        src_bytes        dst_bytes
>     sum    3959765        430446602        284418909        
> 146027693     
> 118126342743      53003592942      65122749801
> 
> (Sorry for the formatting).
> 
> The aggregated record count was lower, which is what I 
> expected, however 
> the packet and byte counts no longer matched, which I didn't expect.
> 
> The total packets and total bytes still match, but not the 
> src and dst 
> counts.
> 
> What gives?
> 
> Andrew
>

More information about the argus mailing list