[ARGUS] Problems with rasort, ragator
Ryan Moon
rmoon at gocougs.wsu.edu
Tue Aug 24 18:46:09 EDT 2004
I'm having some difficulties with the rasort command not sorting properly
by the byte count:
ragator -r <aggregated data file> -f /etc/argus/proto.conf -w - - \
src net xx.xx.xx | rasort -M bytes -s proto pkts bytes - \
not arp and not man
esp 115703 0 65010378 0
udp 140586 126802 11853658 21945965
scps 3700 3700 177600 177600
icmp 325 0 62962 0
rtcp 90 93 7596 16627
tcp 2499906 3123492 627650335 2855939870
Why is tcp listed last even though it's byte counts are much larger? If I
substitute "sbytes" for "bytes", it appears to sort correctly:
tcp 2499906 3123492 627650335 2855939870
esp 115703 0 65010378 0
udp 140586 126802 11853658 21945965
scps 3700 3700 177600 177600
icmp 325 0 62962 0
rtcp 90 93 7596 16627
Here is the contents of my proto.conf ragator configuration file:
# ------------
#label id ip src dst proto sport dport model dur idle
Flow 100 ip * * * * * 200 0 0
#label id ip SAddrMask DAddrMask Proto SPort DPort
Model 200 ip 0.0.0.0 0.0.0.0 yes no no
# ------------
Also I've been having some problems with the tcp protocol being listed
twice in ragator output. This is using the same ragator config.
ragator -n -r <aggregated data file> -f /etc/argus/proto.conf - \
dst net xx.xx.xx and not arp and not man
23 Aug 04 23:44:31 *S tcp 0.0.0.0.65535 -> 0.0.0.0.65535 4201885 4706726 570634174 4225035431 RST
23 Aug 04 23:44:35 *S tcp 0.0.0.0.65535 -> 0.0.0.0.65535 1938681 2438066 250408967 1900526877 RST
[...other protocols trimmed]
Before I fixed it by properly terminating the ragator args with "-" before
the filter expression. Now the problem has recurred and I am confused by
tcp is printed twice. I'm not sure which counts to trust, and it appears
that the sum of both might be more than the actual traffic.
I look forward to any assistance with these problems.
Ryan Moon
More information about the argus
mailing list