Fwd: Re: Linksys router...
Peter Van Epp
vanepp at sfu.ca
Mon Dec 20 23:19:57 EST 2004
As Russell suggested tcpdump is likely a good step here. Note if you
capture a session with tcpdump you can play it back through argus to see what
it will do with
Another good question would be what argus version are you running
(this is roughly argus-2.0.6.fixes.1 with a few patches):
argus -r test.tcpd -w test.out
then
ra -r test.out -nn
(the -nn supresses dns and port translation). Here is an example from my test
machine (FreeBSD rather than linux though):
test6# argus_bpf -w /tmp/argus.out
^Ctest6#
My usual use of ra:
test6# ra -r /tmp/argus.out -nn
20 Dec 04 19:50:51 man 229.97.122.203 v2.0 1 0 0 0 0 0 STA
20 Dec 04 19:50:55 udp 142.58.1.112.631 -> 142.58.1.255.631 1 0 143 0 INT
20 Dec 04 19:50:57 arp 142.58.1.81 who-has 142.58.1.217 2 0 120 0 INT
20 Dec 04 19:50:57 llc 0:b:db:7a:68:9b gbl -> ff:ff:ff:ff:ff: gbl 2 0 120 0 INT
20 Dec 04 19:50:53 llc 0:1:f4:6:98:44 gbl -> ff:ff:ff:ff:ff: gbl 42 0 20572 0 INT
20 Dec 04 19:50:54 udp 142.58.1.113.4444 -> 255.255.255.255.5000 4 0 184 0 INT
20 Dec 04 19:50:51 tcp 206.116.7.69.1030 ?> 142.58.1.236.22 1 0 54 0 CON
20 Dec 04 19:50:57 udp 142.58.1.113.4444 -> 255.255.255.255.5002 1 0 46 0 INT
20 Dec 04 19:50:53 llc 8:0:9:98:99:2c gbl -> ff:ff:ff:ff:ff: gbl 2 0 220 0 INT
20 Dec 04 19:50:53 arp 142.58.2.254 who-has 142.58.2.51 2 0 120 0 INT
20 Dec 04 19:50:52 llc 0:1:f4:ba:dd:74 stp -> 1:80:c2:0:0:0 stp 4 0 476 0 INT
20 Dec 04 19:50:52 llc 0:d0:b7:65:5e:1 gbl -> ff:ff:ff:ff:ff: gbl 1 0 110 0 INT
20 Dec 04 19:50:51 man 229.97.122.203 v2.0 12 0 62 0 22241 11 SHT
test6#
The one you are doing. Note that the -a may be confusing things since it prints
a summary (and is missing from the argus-2.0.6-fixes.1 man page as well!)
of the counts at the end and I'm not sure how things will react to that (plus
it seems to print twice here)
test6# ra -ar /tmp/argus.out -nn
20 Dec 04 19:50:51 man 229.97.122.203 v2.0 1 0 0 0 0 0 STA
20 Dec 04 19:50:55 udp 142.58.1.112.631 -> 142.58.1.255.631 1 0 143 0 INT
20 Dec 04 19:50:57 arp 142.58.1.81 who-has 142.58.1.217 2 0 120 0 INT
20 Dec 04 19:50:57 llc 0:b:db:7a:68:9b gbl -> ff:ff:ff:ff:ff: gbl 2 0 120 0 INT
20 Dec 04 19:50:53 llc 0:1:f4:6:98:44 gbl -> ff:ff:ff:ff:ff: gbl 42 0 20572 0 INT
20 Dec 04 19:50:54 udp 142.58.1.113.4444 -> 255.255.255.255.5000 4 0 184 0 INT
20 Dec 04 19:50:51 tcp 206.116.7.69.1030 ?> 142.58.1.236.22 1 0 54 0 CON
20 Dec 04 19:50:57 udp 142.58.1.113.4444 -> 255.255.255.255.5002 1 0 46 0 INT
20 Dec 04 19:50:53 llc 8:0:9:98:99:2c gbl -> ff:ff:ff:ff:ff: gbl 2 0 220 0 INT
20 Dec 04 19:50:53 arp 142.58.2.254 who-has 142.58.2.51 2 0 120 0 INT
20 Dec 04 19:50:52 llc 0:1:f4:ba:dd:74 stp -> 1:80:c2:0:0:0 stp 4 0 476 0 INT
20 Dec 04 19:50:52 llc 0:d0:b7:65:5e:1 gbl -> ff:ff:ff:ff:ff: gbl 1 0 110 0 INT
20 Dec 04 19:50:51 man 229.97.122.203 v2.0 12 0 62 0 22241 11 SHT
total_pkts src_pkts dst_pkts total_bytes src_bytes dst_bytes
tcp 1 1 0 54 54 0
udp 6 6 0 373 373 0
icmp 0 0 0 0 0 0
ip 0 0 0 0 0 0
arp 4 4 0 240 240 0
non-ip 51 51 0 21498 21498 0
sum 62 62 0 22165 22165 0
total_pkts src_pkts dst_pkts total_bytes src_bytes dst_bytes
tcp 1 1 0 54 54 0
udp 6 6 0 373 373 0
icmp 0 0 0 0 0 0
ip 0 0 0 0 0 0
arp 4 4 0 240 240 0
non-ip 51 51 0 21498 21498 0
sum 62 62 0 22165 22165 0
test6#
Something else to be aware of is that counters are limited in size, so
when overflow is getting close (32K?) argus writes out the record and will then
write the rest of the traffic in another record (ragator or perl are the usual
ways of aggregating this) for the same flow. That may be what is happening to
you. That will show up in the ra listing as more than one record for the same
flow and if your output report is only reporting one of those, that may be
where your loss is.
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
On Mon, Dec 20, 2004 at 04:12:15PM -0500, Brian Johnson wrote:
> Good idea. I think I've been staring at numbers too long today, my brain quit working. tcpdump spews forth all my test traffic. So it must be with how I'm running argus. Basically what I want to do is generate graphs of our incoming/outgoing bandwidth usage. So, I'm using argus to gather the data, racount to give me the numbers, and then mrtg to graph the stuff. But "racount -ar /tmp/argus.out" is giving me numbers that are WAY too low, and "ra -ar /tmp/argus.out" is not showing me any of the traffic from my tests.
>
> That's what leads me to believe I'm running argus wrong. I've been using:
>
> argus -i eth1 -S 10 -w argus.out
>
> But the sum line of "racount -ar argus.out" is WAY too low. Usually about 2 to 5 times lower than it should be. If I download a 20MB file, I will see a sum in the total_bytes column of about 9800000 (rounded up). After a 40MB file, I see a sum of 13000000. I even waited a few minutes to make sure argus had written it's data out.
>
> Any ideas?
>
> -Brian
>
> r.fulton at auckland.ac.nz wrote:
> >On Mon, 2004-12-20 at 15:13 -0500, Brian Johnson wrote:
> >> What is your argus command? I'm ready to punt this out the window. Perhaps my "hub" isn't such a hub after all. I'm still only seeing some traffic, not all, after putting a hub in place of the switch.
> >
> >use something simple like tcpdump or ntop to see what traffic is
> >actually visible on the interface. Remember to specify the interface
> >with -i if the box has more than one interface. THis should establish
> >if the traffic is visible on the interface or not.
> >
> >If it isn't then it isn't an argus problem.
> >
> >Russell
> --
> Brian Johnson
> Systems Administrator
> ThermoAnalytics, Inc.
> 906-482-9560 x210
> http://www.thermoanalytics.com
More information about the argus
mailing list