Me and my usual questions
Carter Bullard
carter at qosient.com
Fri Jun 6 08:59:59 EDT 2003
Hey Andrew,
But the totals are the same? This is probably due to
the way that src and dst are assigned in the various
tools. The ramon tools are answering the unique
question, "what metrics apply to this interface", which
has a different concept of source and destination than
what a flow represents.
With the "ragator | ragator | rasort | ra" you still
have the concept that the source is the first sender. So
when conversations are originated from an external
network to your host, the packets they send will be counted
in the same counter as the packets sent by your host when
it initiates the conversation. Seems confusing, but the
differentiation allows for very powerful accountability.
In order to validate this, run your "rag | rag | ras | ra"
twice, one with filter, "and src host 10.11.2.243" and then
again with "and dst host 10.11.2.243" and see how these
counters compare. You should find out if this is where
the discrepancies lie.
Carter
I
> -----Original Message-----
> From: Andrew Pollock [mailto:andrew-argus at andrew.net.au]
> Sent: Friday, June 06, 2003 5:02 AM
> To: Carter Bullard
> Subject: Re: Me and my usual questions
>
>
> On Thu, Jun 05, 2003 at 11:21:30AM -0400, Carter Bullard wrote:
> > Hey Andrew,
> > So how do they differ? are the totals the same
> > but the src and dst counters mixed, or is one low?
> > They should all count the same total pkts and bytes.
>
> Carter,
>
> I think the inbound was a bit higher and the outbound a bit
> lower (using
> ragator compared to ramon).
>
> Andrew
>
More information about the argus
mailing list