Breaking down selected traffic
Carter Bullard
carter at qosient.com
Thu May 8 09:29:20 EDT 2003
Hey Steve,
Argus records have only 32-bit counters, at present,
and so if in most operations on native argus data, a
counter would rollover, the tools "spit" them out, so
to speak.
So you're getting 2 tcp http records because the first
byte count is just about ready to roll over (4294896677).
Writing a simple frontend to ramon in perl can help this
situation, as perl does real well with 64bit counters.
Carter
> -----Original Message-----
> From: Steve McInerney [mailto:spm at healthinsite.gov.au]
> Sent: Thursday, May 08, 2003 2:19 AM
> To: Carter Bullard
> Cc: argus-info at lists.andrew.cmu.edu
> Subject: Re: Breaking down selected traffic
>
>
> Hi Carter,
>
> Thanks for this tip - most useful.
>
> Did get one minor curiosity when I ran it tho, duplicate entries for
> various services like so:
>
> (Have chopped the date column in the interest's of readability)
>
> tcp http 7099751 7045491 676059782 4294896677
> tcp http 459270 445984 46457198 255631299
> <snip>
> icmp 1217 0 65362 0
> <snip>
> icmp 22 0 1540 0
> ...
>
>
> Any idea as to why?
> I'm using argus-clients-2.0.6.beta.40
> The command line to generate the above is:
>
> ra -r argus.out -w - - ether host gw-x:x:x:x:x:x:x and not "(
> src or dst
> net dmz-a.b.c or dst net local-d.e.f )" | ramon -M svc
>
> -> traffic leaving our gateway, not destined/from the DMZ or local net
>
>
> Thanks
>
>
> - Steve
>
>
>
More information about the argus
mailing list