Timeranges

[Steve McInerney]

Perhaps the best option, from Carters perspective might be an actual 
patch submission. ;-)

But I would agree here Peter, being able to include flows that only 
started and finished within a time range be appropriate. And thanks for 
the reminder of the flows/timing!


Perhaps, on further reflection, it might be appropriate to even go so 
far as to ignore the split flows in this context. ie exclude that 
portion of any flow which lies outside the time range; fractional flows 
if that's clearer. I'm unsure how this would work at the detail level 
with argus as it currently stands tho?
To a large extent it would depend on how one wishes to use the end data. 
Is it a raw size count?; Or the flows themselves that are of interest?

The intended end result should be looked at in more detail?

I can make an educated guess as to which Andrew would prefer, but it 
would be more appropriate for him to enlarge IMHO.



Come to think of it - how DOES argus deal with split flows - for example 
at startup? Does it simply ignore any already happening sessions?


- Steve

Peter Van Epp wrote:
>         You will indeed have overlaps at the boundary. The time range command
> accepts any flow that intersects the time range (i.e. starts before but ends
> after the selected start time, or starts before the end time and ends after
> the end time). This means that flows that cross the boundary either way will
> be included in both sections. You would probably need to write something that
> detected such flows and deleted them in one record or the other. 
> 	The simple solution of course would be to change your cron job for 
> future entries to cut the interval in half and stick the two segements 
> together in ra to process a whole day's records as you used to do before it 
> got too large. That should avoid the split problem entirely with current 
> technology.
>         Another option would be to convince Carter to change the time range
> command (possibly with a different flag) to something like a rule "if the
> start is in the time range include it, if it isn't don't (because it will get
> picked up in the next split interval)" which would include the flow in only one
> of the two split flows at the cost of a change in semantics. A new flag may be 
> in order because both options may be useful at different times since they do 
> slightly different things. 
> 	We would need to think carefully about the boundary conditions though 
> to make sure it doesn't do something unexpected (at first thought I think it 
> should work though).
> 
> Peter Van Epp / Operations and Technical Support 
> Simon Fraser University, Burnaby, B.C. Canada
> 
> 
> On Wed, Feb 11, 2004 at 12:17:22PM +1000, Andrew Pollock wrote:
> 
>>On Wed, Feb 11, 2004 at 12:56:50PM +1100, Steve McInerney wrote:
>>
>>>Hi Andrew,
>>>
>>>I've not done it for hours per se, but have done days. The ra man page 
>>>gives the details on how to do hours as well. Just a minor modification.
>>>
>>>from my notes:
>>>ra -n -w ~/argus-oct.argus -t '2002/10/01-2002/10/31' -r 
>>>/var/log/argus/argus.out.0.bz2 ?
>>
>>What I'm currently experimenting with is:
>>
>>ra -r 2003-12-01 -t 12/01.00-12
>>and
>>ra -r 2003-12-01 -t 12/01.12-24
>>
>>but I suspect I'm going to have overlap/underlap issues.
>>
>>i.e. I've already got logfiles on a daily basis, I want to split them down
>>further
>>
>>Andrew