[ARGUS] Problems with rasort, ragator
Carter Bullard
carter at qosient.com
Wed Aug 25 16:38:20 EDT 2004
> From: Carter Bullard <carter at newyork.qosient.com>
> Date: Wed, 25 Aug 2004 09:19:37 -0400
> To: Ryan Moon <rmoon at gocougs.wsu.edu>, <argus-info at lists.andrew.cmu.edu>
> Subject: RE: [ARGUS] Problems with rasort, ragator
>
> Hey Ryan,
> Seems that we've got a bug in the sort comparison
> routine. We add the source and destination byte counts
> to do the "bytes" comparison, but this number seems to be
> negative in your case. We actually do a (long long)
> comparison in the sort routine, but I suspect that the
> conversion to (long long) is happening after its been
> calculated to be negative. Try the patch below to see
> if it doesn't solve your problem.
>
> You're getting two tcp records because the dst byte count
> is rolling over the 32-bit counters that argus uses.
>
> Hope this helps,
>
> Carter
>
> Index: argus_client.c
> ===================================================================
> RCS file: /usr/local/cvsroot/argus-clients/common/argus_client.c,v
> retrieving revision 1.17
> diff -r1.17 argus_client.c
> 3861,3862c3861,3864
> < cnt1 = a1->argus_far.src.bytes + a1->argus_far.dst.bytes;
> < cnt2 = a2->argus_far.src.bytes + a2->argus_far.dst.bytes;
> ---
>> cnt1 = (long long) a1->argus_far.src.bytes;
>> cnt1 += (long long) a1->argus_far.dst.bytes;
>> cnt2 = (long long) a2->argus_far.src.bytes;
>> cnt2 += (long long) a2->argus_far.dst.bytes;
>
>
>
> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of Ryan Moon
> Sent: Tuesday, August 24, 2004 6:46 PM
> To: argus-info at lists.andrew.cmu.edu
> Subject: [ARGUS] Problems with rasort, ragator
>
> I'm having some difficulties with the rasort command not sorting
> properly
> by the byte count:
>
> ragator -r <aggregated data file> -f /etc/argus/proto.conf -w - - \
> src net xx.xx.xx | rasort -M bytes -s proto pkts bytes - \
> not arp and not man
>
> esp 115703 0 65010378 0
> udp 140586 126802 11853658 21945965
> scps 3700 3700 177600 177600
> icmp 325 0 62962 0
> rtcp 90 93 7596 16627
> tcp 2499906 3123492 627650335 2855939870
>
> Why is tcp listed last even though it's byte counts are much larger? If
> I
> substitute "sbytes" for "bytes", it appears to sort correctly:
>
> tcp 2499906 3123492 627650335 2855939870
> esp 115703 0 65010378 0
> udp 140586 126802 11853658 21945965
> scps 3700 3700 177600 177600
> icmp 325 0 62962 0
> rtcp 90 93 7596 16627
>
> Here is the contents of my proto.conf ragator configuration file:
>
> # ------------
> #label id ip src dst proto sport dport model dur idle
> Flow 100 ip * * * * * 200 0 0
>
> #label id ip SAddrMask DAddrMask Proto SPort DPort
> Model 200 ip 0.0.0.0 0.0.0.0 yes no no
> # ------------
>
> Also I've been having some problems with the tcp protocol being listed
> twice in ragator output. This is using the same ragator config.
>
> ragator -n -r <aggregated data file> -f /etc/argus/proto.conf - \
> dst net xx.xx.xx and not arp and not man
>
> 23 Aug 04 23:44:31 *S tcp 0.0.0.0.65535 ->
> 0.0.0.0.65535 4201885 4706726 570634174 4225035431 RST
> 23 Aug 04 23:44:35 *S tcp 0.0.0.0.65535 ->
> 0.0.0.0.65535 1938681 2438066 250408967 1900526877 RST
> [...other protocols trimmed]
>
> Before I fixed it by properly terminating the ragator args with "-"
> before
> the filter expression. Now the problem has recurred and I am confused by
> tcp is printed twice. I'm not sure which counts to trust, and it appears
> that the sum of both might be more than the actual traffic.
>
> I look forward to any assistance with these problems.
>
> Ryan Moon
>
>
>
>
More information about the argus
mailing list