[ARGUS] difference in pppd and argus statistics

Carter Bullard carter at qosient.com
Thu Apr 15 17:37:06 EDT 2004 

Hey Roman,
   The discrepancy is caused by the different meanings of
"src" and "dst" when it comes to flows vs interfaces.
The "src" of a tcp connection is the host that initiated
the TCP.  So if you're allowing TCP connections into your
ppp link, then the src/dst semantics with be reversed
for those packets, when compared to the ppp link stats.
You can correct this by using the ramon() tool in the
argus-clients distribution.

   The total bytes   ppp = 35411866
                   argus = 35411642

are pretty close.  I suspect that the ppp driver is eating
some control packets that the libpcap interface is not
getting, since we're not seeing any non-ip data.

Hope this helps!!!

Carter



-----Original Message-----
From: owner-argus-info at lists.andrew.cmu.edu
[mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of Roman Festchook
Sent: Thursday, April 15, 2004 4:55 PM
To: argus-info at lists.andrew.cmu.edu
Subject: [ARGUS] difference in pppd and argus statistics

I use argus to monitor traffic on ppp interfaces (pptp tunnels on linux) -
and see
strange and repeating situation - argus started when pppXX interface come up
and stop when ppp connection dropped, sometimes I see strange difference in
pppd statistics and argus record summaries, like this:

pppd stats for connection:
Apr 15 21:08:40 kobzar pppd[5726]: Sent 33418023 bytes, received 1993843
bytes.

argus summary:
             total_pkts         src_pkts         dst_pkts      total_bytes
src_bytes        dst_bytes
tcp               64040            25056            38984         35329978
2167012         33162966
udp                 754              381              373            80304
24571            55733
icmp                 15               15                0             1124
1124                0
ip                    5                5                0              236
236                0
arp                   0                0                0                0
0                0
non-ip                0                0                0                0
0                0
sum               64814            25457            39357         35411642
2192943         33218699

So more traffic in incoming flow (2192943-1993843=199100) practically
identical amount of smaller outgoing
 flow (33218699-33418023=-199324). And this difference repeats.

Somebody can point me to reason of this strange defference?

--
Roman Festchook
Network Engineer
RF2-UANIC FRA11-RIPE

More information about the argus mailing list