Me and my usual questions

[Carter Bullard]

Andrew,
   Svc only counts udp and tcp traffic, as you have
to have a port to do the svc counting.  Try your ramon
calls with the "tcp or udp" filter to verify.

Carter


> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu 
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of 
> Andrew Pollock
> Sent: Wednesday, June 04, 2003 9:40 PM
> To: argus-info at lists.andrew.cmu.edu
> Subject: Me and my usual questions
> 
> 
> Hi,
> 
> I'm the never ending purgatory that is my life, I'm trying to 
> make Argus 
> produce consistently sensible data, and as usual, failing miserably.
> 
> I'm going to go back to square one:
> 
> We have a network topology like this:
> 
>               LB        LB
>                |         |
>             +--------------+
>             |              |
> Argus ------| Switch       |
>             |              |
>             +--------------+
>              | | | | | | | 
>              |     |   |
>            Client  | Client  
>                Client
> 
> We have a switch, to which two load balancers are attached (one being 
> active at any point in time) and we have our clients connected to the 
> switch as well. Argus is running on a server plugged into a 
> port on the 
> switch that spans the two ports that the load balancers are 
> plugged into.
> 
> Each client has a /24 of their own, with the exception of a couple of 
> clients that have a single /32
> 
> Today's focus is one of the clients that have just a /32
> 
> The way I've been determining how much data has been 
> sent/received to/from 
> such a client is:
> 
> ramon -w - -M TopN -r argus.log - host 10.11.2.243 | racount
> 
> or for one with a /24
> 
> ramon -w - -M TopN -M net/24 -r argus.log - net 10.99.9/24 | racount
> 
> (hopefully I've got this much correct)
> 
> I'm now trying to determine a protocol breakdown of that 
> total and this is
> where I can't get the sum of the protocol breakdown to agree with the
> output of the above ramon calls.
> 
> Both the sum of the output of:
> 
> ragator -w - -r argus.log - tcp or udp and host 10.11.2.243 | 
> ragator -f
> /usr/local/etc/dport.conf -w - | rasort -M bytes -w - | ra -s 
> dport pkts
> bytes
> 
> and
> 
> ra -r argus.log -w - - host 10.11.2.243 | ramon -M Svc -r -
> 
> agree with each other, however they're a bit out (in both 
> directions) with 
> the output of the top ramon call.
> 
> dport.conf in the above ragator call contains:
> 
> Flow    100 ip  *       *       *       *       *       200   
>   0       0
> Model   200 ip  0.0.0.0         0.0.0.0         yes     no      yes
> 
> I just want to get this to a set and forget point, rather 
> than every month
> having to spend days fiddling around with various Argus 
> client calls and
> wading through a good 36Gb of logs. I'm after a total per 
> network for a 
> month's worth of Argus logs and the ability to break that 
> total down per 
> protocol on an ad hoc request basis.
> 
> Andrew
>