The double-counting saga
Dave Plonka
plonka at doit.wisc.edu
Thu May 8 17:41:52 EDT 2003
On Thu, May 08, 2003 at 03:50:38PM -0500, Dave Plonka wrote:
> P.S. In answer to Andrew's question about how to fix it, if you can
> tolerate changing to a different file format, its possible to adjust the
> counts
<snip>
Doh! I found its not really sensible to adjust the per-flow pkt and
byte counts to be 1/2 what they were. Even though argus had the same
interface open twice and therefore nearly all flows had doubled pkt and
byte counts, it seems to have sometimes counted the packets differently
on the two instances of that same interface. Perhaps this is because a
slightly different set of packets is observed within the flow timeout
for each interface instance.
So, while nearly all flows showed doubled counters, a fraction of a
percent of the flow records still had odd numbers of packets (like 1) -
and therefore can't be divided by two to "correct" the doubling.
Ugh - once more, theory is simpler than reality...
Dave
--
plonka at doit.wisc.edu http://net.doit.wisc.edu/~plonka ARS:N9HZF Madison, WI
More information about the argus
mailing list