[ARGUS] raxml issue

Glenn MacGregor gtm at highstreetnetworks.com
Mon Jun 7 10:15:22 EDT 2004 

Carter,

Thanks for the info. I do three queries using ramon TopN, Matrix, 
Service. The data I want is the list of hosts with traffic metrics. The 
list of talkers with metrics and the list of services with metrics. Is 
there a way to do this with ragator? Can you give me some advice on 
using ragator in this capacity?

	Thanks

		Glenn


Carter Bullard wrote:
> Hey Glenn,
>    You probably shouldn't be using ramon() in this case.
> ramon() is a variation of ragator(), so it's a special
> case of an argus data aggregator.  It modifies the flow
> description (the src/dst ip addr, proto, src port
> and dst port fields) of each record and then merges
> records that have the same resulting flow descriptor.
> 
>    ramon() differes from ragator() in that is REALLY
> modifies the original record depending on the mode,
> by removing most of the flow descriptor fields, AND,
> it also doubles the packet and byte counts for the
> total data in the file (this is a by product of the
> RMON concept, not a bug).
> 
>   By running ramon(), you are modifying the flow records
> to report aggregated totals for individual IP addresses.
> Because your data has activity for 2 hosts, x.y.z.w, and w.z.y.x,
> ramon() is designed to generate only two output records,
> one for x.y.z.w and one for w.z.y.x.  That's basically what
> you're seeing.
> 
>    So the output is right.  Maybe you probably should run
> ragator() instead of ramon()?  What type of report are you
> trying to generate?
> 
> Carter
> 
> 
> 
> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of Glenn MacGregor
> Sent: Friday, June 04, 2004 2:54 PM
> To: argus-info at lists.andrew.cmu.edu
> Subject: [ARGUS] raxml issue
> 
> Hi All,
> 
> Here is a snippit from the output of raxml (ramon -M topn -unnnr
> argus.out -w - | raxml -unnnr - > hosts.xml)
> 
> The test I ran is the following:
> At 192.168.0.74 I downloaded a 17meg file from 192.168.0.104. I would
> assume Argus would output from ramon -M topn one record with a SrcIpAddr
> = 192.168.0.74 with a very small number of SrcBytes and SrcAppBytes and
> very high DstBytes and DstAppBytes and the opposite for 192.168.0.104.
> Is this correct?
> 
> Here is some  output from the command above:
> 
> ...
> <Flow><IP SrcIPAddr = "192.168.0.104" DstIPAddr = "0.0.0.0" Proto = "0"
> IpId = "0" /></Flow>...
> <Metrics SrcCount = "3569" DstCount = "11879" SrcBytes = "267211"
> DstBytes = "17599811" SrcAppBytes = "35165" DstAppBytes = "16820505" />...
> 
> ...
> <Flow><IP SrcIPAddr = "192.168.0.74" DstIPAddr = "0.0.0.0" Proto = "0"
> IpId = "0" /></Flow>...
> <Metrics SrcCount = "11681" DstCount = "3370" SrcBytes = "17582185"
> DstBytes = "226442" SrcAppBytes = "16811219" DstAppBytes = "2778" />...
> 
> Again the http server is on 192.168.0.104 and the client is 192.168.0.74
> so this XML output seems backwards to me.
> 
> Any thoughts?
> 
>     Thanks
> 
> 	Glenn MacGregor
> 
> 
> 
> 
>

More information about the argus mailing list