[ARGUS] raxml issue

Carter Bullard carter at qosient.com
Mon Jun 7 09:31:09 EDT 2004 

Hey Glenn,
   You probably shouldn't be using ramon() in this case.
ramon() is a variation of ragator(), so it's a special
case of an argus data aggregator.  It modifies the flow
description (the src/dst ip addr, proto, src port
and dst port fields) of each record and then merges
records that have the same resulting flow descriptor.

   ramon() differes from ragator() in that is REALLY
modifies the original record depending on the mode,
by removing most of the flow descriptor fields, AND,
it also doubles the packet and byte counts for the
total data in the file (this is a by product of the
RMON concept, not a bug).

  By running ramon(), you are modifying the flow records
to report aggregated totals for individual IP addresses.
Because your data has activity for 2 hosts, x.y.z.w, and w.z.y.x,
ramon() is designed to generate only two output records,
one for x.y.z.w and one for w.z.y.x.  That's basically what
you're seeing.

   So the output is right.  Maybe you probably should run
ragator() instead of ramon()?  What type of report are you
trying to generate?

Carter



-----Original Message-----
From: owner-argus-info at lists.andrew.cmu.edu
[mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of Glenn MacGregor
Sent: Friday, June 04, 2004 2:54 PM
To: argus-info at lists.andrew.cmu.edu
Subject: [ARGUS] raxml issue

Hi All,

Here is a snippit from the output of raxml (ramon -M topn -unnnr
argus.out -w - | raxml -unnnr - > hosts.xml)

The test I ran is the following:
At 192.168.0.74 I downloaded a 17meg file from 192.168.0.104. I would
assume Argus would output from ramon -M topn one record with a SrcIpAddr
= 192.168.0.74 with a very small number of SrcBytes and SrcAppBytes and
very high DstBytes and DstAppBytes and the opposite for 192.168.0.104.
Is this correct?

Here is some  output from the command above:

...
<Flow><IP SrcIPAddr = "192.168.0.104" DstIPAddr = "0.0.0.0" Proto = "0"
IpId = "0" /></Flow>...
<Metrics SrcCount = "3569" DstCount = "11879" SrcBytes = "267211"
DstBytes = "17599811" SrcAppBytes = "35165" DstAppBytes = "16820505" />...

...
<Flow><IP SrcIPAddr = "192.168.0.74" DstIPAddr = "0.0.0.0" Proto = "0"
IpId = "0" /></Flow>...
<Metrics SrcCount = "11681" DstCount = "3370" SrcBytes = "17582185"
DstBytes = "226442" SrcAppBytes = "16811219" DstAppBytes = "2778" />...

Again the http server is on 192.168.0.104 and the client is 192.168.0.74
so this XML output seems backwards to me.

Any thoughts?

    Thanks

	Glenn MacGregor

More information about the argus mailing list