The double-counting saga
Carter Bullard
carter at qosient.com
Thu May 8 18:46:24 EDT 2003
Hey Guys,
So the critical mass of errors has been reached, and
I'll make sure that argus doesn't open the same
interface twice. Should be up in the next day or so.
Carter
> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of
> Dave Plonka
> Sent: Thursday, May 08, 2003 5:42 PM
> To: argus-info at lists.andrew.cmu.edu
> Cc: Andrew Pollock
> Subject: Re: The double-counting saga
>
>
> On Thu, May 08, 2003 at 03:50:38PM -0500, Dave Plonka wrote:
> > P.S. In answer to Andrew's question about how to fix it, if you can
> > tolerate changing to a different file format, its possible
> to adjust the
> > counts
> <snip>
>
> Doh! I found its not really sensible to adjust the per-flow pkt and
> byte counts to be 1/2 what they were. Even though argus had the same
> interface open twice and therefore nearly all flows had
> doubled pkt and
> byte counts, it seems to have sometimes counted the packets
> differently
> on the two instances of that same interface. Perhaps this is
> because a
> slightly different set of packets is observed within the flow timeout
> for each interface instance.
>
> So, while nearly all flows showed doubled counters, a fraction of a
> percent of the flow records still had odd numbers of packets
> (like 1) -
> and therefore can't be divided by two to "correct" the doubling.
>
> Ugh - once more, theory is simpler than reality...
>
> Dave
>
> --
> plonka at doit.wisc.edu http://net.doit.wisc.edu/~plonka
> ARS:N9HZF Madison, WI
>
More information about the argus
mailing list