Me and my usual questions

[Andrew Pollock]

Hi Carter,

to summarise, I've got the following:

[1] ramon -w - -M TopN -r 2003-05-03 - host 10.11.2.243 | racount
[2] ragator -w - -r 2003-05-03 - \(tcp or udp\) and host 10.11.2.243 | 
ragator -f /usr/local/etc/dport.conf -w - | rasort -M bytes -w - | ra -s 
dport pkts bytes

[3] ra -r 2003-05-03 -w - - host 10.11.2.243 | ramon -M Svc -r -

I have been using [1] to arrive at my totals

I'm now trying to break down the total arrived at by [1], and I've tried 
[2] and [3]

If I add up the output of [2] or [3], it doesn't match the output of [1]
Even when I add both directions together, I come up with a total that's 
slightly less than the total bytes in [1]. It happens that the totals from 
the output of [2] and [3] match exactly.

If I play with [2] and add "src host blah" or "dst host blah" to the 
filter, I obviously get different results. I'm not sure what I was 
supposed to figure out from doing that.

Andrew

On Fri, Jun 06, 2003 at 08:59:59AM -0400, Carter Bullard wrote:
> Hey Andrew,
>   But the totals are the same?  This is probably due to
> the way that src and dst are assigned in the various
> tools.  The ramon tools are answering the unique
> question, "what metrics apply to this interface", which
> has a different concept of source and destination than
> what a flow represents.
> 
>    With the "ragator | ragator | rasort | ra" you still
> have the concept that the source is the first sender.  So
> when conversations are originated from an external
> network to your host, the packets they send will be counted
> in the same counter as the packets sent by your host when 
> it initiates the conversation.  Seems confusing, but the
> differentiation allows for very powerful accountability.
> 
>    In order to validate this, run your "rag | rag | ras | ra"
> twice, one with filter, "and src host 10.11.2.243" and then
> again with "and dst host 10.11.2.243" and see how these
> counters compare.  You should find out if this is where
> the discrepancies lie.
> 
> Carter
> 
> 
>    I 
> 
> > -----Original Message-----
> > From: Andrew Pollock [mailto:andrew-argus at andrew.net.au] 
> > Sent: Friday, June 06, 2003 5:02 AM
> > To: Carter Bullard
> > Subject: Re: Me and my usual questions
> > 
> > 
> > On Thu, Jun 05, 2003 at 11:21:30AM -0400, Carter Bullard wrote:
> > > Hey Andrew,
> > >    So how do they differ?  are the totals the same
> > > but the src and dst counters mixed, or is one low?
> > > They should all count the same total pkts and bytes.
> > 
> > Carter,
> > 
> > I think the inbound was a bit higher and the outbound a bit 
> > lower (using 
> > ragator compared to ramon).
> > 
> > Andrew
> > 
>