[ARGUS] raxml issue

Carter Bullard carter at qosient.com
Mon Jun 7 10:31:48 EDT 2004


Hey Glenn,
   Well, ramon() will give you those answers, and raxml()
in this case is giving you the right data. So, if you're
happy, then we're all happy, so to speak ;o)

   The real difference between ragator() and ramon() is
that ramon() is a fixed model ragator(), i.e. you select
from 1 of 5-6 basic ragator configurations using the -M
option.  The only option that ramon() offers that ragator()
doesn't support is the TopN mode, which is a RMON type
metric.  To do that with flow data, you have to
duplicate the data before modifying the flows.  Thus
the name RaMON().

   If you want to check out ./clients/ramon.c, you'll
see the simple ragator() configurations that it uses.
That might give you some ideas on how to use ragator().


Carter


-----Original Message-----
From: Glenn MacGregor [mailto:gtm at highstreetnetworks.com]
Sent: Monday, June 07, 2004 10:15 AM
To: Carter Bullard
Cc: argus-info at lists.andrew.cmu.edu
Subject: Re: [ARGUS] raxml issue

Carter,

Thanks for the info. I do three queries using ramon TopN, Matrix,
Service. The data I want is the list of hosts with traffic metrics. The
list of talkers with metrics and the list of services with metrics. Is
there a way to do this with ragator? Can you give me some advice on
using ragator in this capacity?

	Thanks

		Glenn


Carter Bullard wrote:
> Hey Glenn,
>    You probably shouldn't be using ramon() in this case.
> ramon() is a variation of ragator(), so it's a special
> case of an argus data aggregator.  It modifies the flow
> description (the src/dst ip addr, proto, src port
> and dst port fields) of each record and then merges
> records that have the same resulting flow descriptor.
>
>    ramon() differes from ragator() in that is REALLY
> modifies the original record depending on the mode,
> by removing most of the flow descriptor fields, AND,
> it also doubles the packet and byte counts for the
> total data in the file (this is a by product of the
> RMON concept, not a bug).
>
>   By running ramon(), you are modifying the flow records
> to report aggregated totals for individual IP addresses.
> Because your data has activity for 2 hosts, x.y.z.w, and w.z.y.x,
> ramon() is designed to generate only two output records,
> one for x.y.z.w and one for w.z.y.x.  That's basically what
> you're seeing.
>
>    So the output is right.  Maybe you probably should run
> ragator() instead of ramon()?  What type of report are you
> trying to generate?
>
> Carter
>
>
>
> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of Glenn
MacGregor
> Sent: Friday, June 04, 2004 2:54 PM
> To: argus-info at lists.andrew.cmu.edu
> Subject: [ARGUS] raxml issue
>
> Hi All,
>
> Here is a snippit from the output of raxml (ramon -M topn -unnnr
> argus.out -w - | raxml -unnnr - > hosts.xml)
>
> The test I ran is the following:
> At 192.168.0.74 I downloaded a 17meg file from 192.168.0.104. I would
> assume Argus would output from ramon -M topn one record with a SrcIpAddr
> = 192.168.0.74 with a very small number of SrcBytes and SrcAppBytes and
> very high DstBytes and DstAppBytes and the opposite for 192.168.0.104.
> Is this correct?
>
> Here is some  output from the command above:
>
> ...
> <Flow><IP SrcIPAddr = "192.168.0.104" DstIPAddr = "0.0.0.0" Proto = "0"
> IpId = "0" /></Flow>...
> <Metrics SrcCount = "3569" DstCount = "11879" SrcBytes = "267211"
> DstBytes = "17599811" SrcAppBytes = "35165" DstAppBytes = "16820505" />...
>
> ...
> <Flow><IP SrcIPAddr = "192.168.0.74" DstIPAddr = "0.0.0.0" Proto = "0"
> IpId = "0" /></Flow>...
> <Metrics SrcCount = "11681" DstCount = "3370" SrcBytes = "17582185"
> DstBytes = "226442" SrcAppBytes = "16811219" DstAppBytes = "2778" />...
>
> Again the http server is on 192.168.0.104 and the client is 192.168.0.74
> so this XML output seems backwards to me.
>
> Any thoughts?
>
>     Thanks
>
> 	Glenn MacGregor
>
>
>
>
>







More information about the argus mailing list