What does ramon (TopN mode) actually do?

Carter Bullard carter at qosient.com
Thu Jun 26 01:14:44 EDT 2003 

Hey Andrew,
   'TopN' does not imply 'tcp or udp'.  The
'TopN' mode of ramon() tracks metrics based
on IP address.  As a result it will count all
traffic that involves IP addresses, udp, tcp,
icmp, igmp, gre, esp, multicast, ..., and
arp traffic, since it also contains IP
addresses.

   It's the 'Svc' (services) mode of ramon()
that tracks metrics based on dst port, and as a
result, 'Svc' is the mode that implies 'tcp or udp',
since these are the only protocols that actually
have ports.  I believe this is where the confusion
comes in.

   In order for TopN to count select traffic, you
have to filter the input to "ramon -M TopN" so
that it only processes the traffic of interest.

   Because ramon() modifies the records so much,
you can't use a filter like "tcp or udp" on the
ramon() command-line.  This is because ramon()
applies the command-line filter to the input and
the output.  To get a better idea, try this:

      ramon -M topn -r file -w - | ra

you'll see that the output records only have
the source address field intact and the protocol
is ip.  So a filter like 'host x.y.z.w' works,
but a filter like 'dst host x.y.z.w' will not,
since there is no dst host information in the
output record.

If you ran this:

      ramon -M svc -r file -w - | ra

you'd see no address information but you'd
see that protocol and dst port information is the
only information left in the flow key of the record.
So filters like "tcp" work, but filters like
"host x.y.z.w and tcp" won't.

If you ran this:

      ramon -M matrix -r file -w - | ra

you'd see that the address information for both
the source and destination are intact, but no other
flow information is retained.

The work around for the filter problem, is to use
ra() to filter the records and pipe them into
'ramon -M TopN'.

I hope that this is helping to clear it up a bit more.
Please don't hesitate to send mail if there are still
questions!!!!


Carter



> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu 
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of 
> Andrew Pollock
> Sent: Thursday, June 26, 2003 12:17 AM
> To: argus-info at lists.andrew.cmu.edu
> Subject: What does ramon (TopN mode) actually do?
> 
> 
> Hi,
> 
> I'm still on my quest to get a per TCP/UDP protocol breakdown 
> that matches 
> my total from a TopN.
> 
> I'm trying to emulate what a ramon -M TopN actually does by 
> playing with 
> the data spat out of an ra() call.
> 
> If I go [1] "ramon -r argus.log -w - -M TopN - host 
> 10.11.2.243 | racount"  
> I get a total for in and out.
> 
> If I go [2] "ra -r argus.log - host 10.11.2.243" and manually 
> add up the 
> source bytes where the destination address is 10.11.2.243 and the dst 
> bytes where the source address is 10.11.2.243 I get a 
> different figure for 
> a total in than from [1] (slightly lower).
> 
> If I go [3] "ra -r argus.log -w - - tcp or udp | ramon -r - 
> -w - -M TopN
> - host 10.11.2.243 | racount" I get a total that matches what I've 
> manually arrived at from [2].
> 
> So, how is [1] arriving at it's total? I've been told 
> previous that a TopN 
> implies a filter of "tcp or udp" along with whatever else I 
> supply, but I 
> can't make it add up. :-(
> 
> Hope I'm making sense.
> 
> Andrew
>

More information about the argus mailing list