What does ramon (TopN mode) actually do?

Carter Bullard carter at qosient.com
Tue Jul 1 11:38:41 EDT 2003 

Hey Andrew,
   It's easy to get the data to agree, it's just you
have to make sure that you know what you're asking for
so you can get the filtering right.  But I think that
there is still some confusion.  While ramon() does
generate valid argus output, you can't take the output
of a Svc run and then process it to get a TopN report,
as the models are not compatible.  The keys that each
are using to do the aggregation are not comparable from
a relational algebraic perspective.  Its like trying
to count the number of tennis shoes from a set of data
that reference only the color of pants in a group.

   If you want ramon() to provide you with an interface
oriented breakdown by protocol for each address, we
can add that ramon() without any trouble.  Just need
come up with a name for the mode and I'll whip it up in
an hour or so.

Carter

Carter Bullard
QoSient, LLC
150 E. 57th Street Ste 12D
New York, New York 10022-2795

+1 212 588-9133 Phone
+1 212 588-9134 Fax


> -----Original Message-----
> From: Andrew Pollock [mailto:andrew-argus at andrew.net.au] 
> Sent: Monday, June 30, 2003 9:27 PM
> To: Carter Bullard
> Cc: argus-info at lists.andrew.cmu.edu
> Subject: Re: What does ramon (TopN mode) actually do?
> 
> 
> Carter,
> 
> I think you've helped demystify things a bit for me. Thanks very much.
> 
> One question:
> 
> On Thu, Jun 26, 2003 at 11:31:32AM -0400, Carter Bullard wrote:
> > 
> > The total_pkts and total_bytes should agree, but not
> > the src and dst counters.  That is because "ramon -M topn"
> > redefines the source and destination relative to the address,
> > which is similar to an interface counter.  With
> > "ramon -M svc", the source and destination are defined
> > relative to the service, so there is no modification from
> > the original argus data.  Comparing TopN data with Svc data
> > from the perspective of source and destination is definitely
> > an apple/orange comparison.
> 
> So are you saying that it's impossible (i.e. it's mutually 
> exclusive) to
> take a total from the "similar to an interface counter" (-M 
> TopN) mode and
> break that total down by protocol (-M Svc/big call to 
> ragator/however) and
> actually have it agree with the TopN total?
> 
> :-(
> 
> Andrew
>

More information about the argus mailing list