What does ramon (TopN mode) actually do?
Andrew Pollock
andrew-argus at andrew.net.au
Thu Jun 26 00:16:40 EDT 2003
Hi,
I'm still on my quest to get a per TCP/UDP protocol breakdown that matches
my total from a TopN.
I'm trying to emulate what a ramon -M TopN actually does by playing with
the data spat out of an ra() call.
If I go [1] "ramon -r argus.log -w - -M TopN - host 10.11.2.243 | racount"
I get a total for in and out.
If I go [2] "ra -r argus.log - host 10.11.2.243" and manually add up the
source bytes where the destination address is 10.11.2.243 and the dst
bytes where the source address is 10.11.2.243 I get a different figure for
a total in than from [1] (slightly lower).
If I go [3] "ra -r argus.log -w - - tcp or udp | ramon -r - -w - -M TopN
- host 10.11.2.243 | racount" I get a total that matches what I've
manually arrived at from [2].
So, how is [1] arriving at it's total? I've been told previous that a TopN
implies a filter of "tcp or udp" along with whatever else I supply, but I
can't make it add up. :-(
Hope I'm making sense.
Andrew
More information about the argus
mailing list