Me and my usual questions

[Carter Bullard]

Hey Andrew,
   So how do they differ?  are the totals the same
but the src and dst counters mixed, or is one low?
They should all count the same total pkts and bytes.

Carter



> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu 
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of 
> Andrew Pollock
> Sent: Wednesday, June 04, 2003 9:40 PM
> To: argus-info at lists.andrew.cmu.edu
> Subject: Me and my usual questions
> 
> 
> Hi,
> 
> I'm the never ending purgatory that is my life, I'm trying to 
> make Argus 
> produce consistently sensible data, and as usual, failing miserably.
> 
> I'm going to go back to square one:
> 
> We have a network topology like this:
> 
>               LB        LB
>                |         |
>             +--------------+
>             |              |
> Argus ------| Switch       |
>             |              |
>             +--------------+
>              | | | | | | | 
>              |     |   |
>            Client  | Client  
>                Client
> 
> We have a switch, to which two load balancers are attached (one being 
> active at any point in time) and we have our clients connected to the 
> switch as well. Argus is running on a server plugged into a 
> port on the 
> switch that spans the two ports that the load balancers are 
> plugged into.
> 
> Each client has a /24 of their own, with the exception of a couple of 
> clients that have a single /32
> 
> Today's focus is one of the clients that have just a /32
> 
> The way I've been determining how much data has been 
> sent/received to/from 
> such a client is:
> 
> ramon -w - -M TopN -r argus.log - host 10.11.2.243 | racount
> 
> or for one with a /24
> 
> ramon -w - -M TopN -M net/24 -r argus.log - net 10.99.9/24 | racount
> 
> (hopefully I've got this much correct)
> 
> I'm now trying to determine a protocol breakdown of that 
> total and this is
> where I can't get the sum of the protocol breakdown to agree with the
> output of the above ramon calls.
> 
> Both the sum of the output of:
> 
> ragator -w - -r argus.log - tcp or udp and host 10.11.2.243 | 
> ragator -f
> /usr/local/etc/dport.conf -w - | rasort -M bytes -w - | ra -s 
> dport pkts
> bytes
> 
> and
> 
> ra -r argus.log -w - - host 10.11.2.243 | ramon -M Svc -r -
> 
> agree with each other, however they're a bit out (in both 
> directions) with 
> the output of the top ramon call.
> 
> dport.conf in the above ragator call contains:
> 
> Flow    100 ip  *       *       *       *       *       200   
>   0       0
> Model   200 ip  0.0.0.0         0.0.0.0         yes     no      yes
> 
> I just want to get this to a set and forget point, rather 
> than every month
> having to spend days fiddling around with various Argus 
> client calls and
> wading through a good 36Gb of logs. I'm after a total per 
> network for a 
> month's worth of Argus logs and the ability to break that 
> total down per 
> protocol on an ad hoc request basis.
> 
> Andrew
>