[ARGUS] Issue with man records

[Edward Balas]

Hey all,

I have been playing the argus some and ran into a few issues regarding
my understanding of how to interpret the man type records and what
I get as output.

If I understand things correctly here is the way to interpret man 
records as output by ra:

argus_man               flow
----------------------------------
argus.id                SrcAddr
major.minor ver         SrcPort

next SequenceNum        DstAddr
flows                   DstPort

pktsRX                  SrcPkts
pktsDrop                DstPkts

bytesRX                 src_bytes
flowsClosed             dst_bytes


It would seem that if I wanted to get a sense of how many pkts were
dropped  in an overload situation I would want to monitor
the DstPkts field, I might want to do something like this...

[root at foobar argus]# argus -M 30 -e "127.0.0.1" -w - | ra -F ra.conf -n 
-s startime  dur spkts dpkts  - man
StartTime,Fraction,Dur,SrcPkt,DstPkt
04/07/27,16:13:59,0.65,0.00,0,0
04/07/27,16:13:59,0.65,29.51,238907,0
04/07/27,16:14:29,0.17,29.92,240692,616
04/07/27,16:14:59,0.09,30.04,229491,4294966683
04/07/27,16:15:29,0.13,30.05,231567,475
04/07/27,16:15:59,0.19,29.98,241096,4294967001
04/07/27,16:16:29,0.18,29.98,239657,147

As I understand it the last record is interpreted
to mean that at the 30 second interval starting at 
 4/07/27 16:16:29  we received 239,657 packets and
in addition to those we lost 147 other packets.  
Is that the correct understanding? or is 147 come
out of the 239,657 total?


This all makes pretty good sense except it looks like there is a problem 
with the the lost packet counter going funny.  Has any body seen this 
prior? 

I attempted to determine if this was a problem local to ra or a problem 
with the argus deamon by using raxml to examine the output, however
it looks like raxml is not capable of outputing man records.



Edward Balas