question about ra -s flag

Peter Van Epp vanepp at sfu.ca
Tue Jan 25 12:40:37 EST 2005 

On Tue, Jan 25, 2005 at 10:34:12AM -0600, Nick Giordano wrote:
> I seem to be getting inconsistent results depending on what I give to 
> the -s flag of ra (Ra Version 2.0.6.fixes.1).  Some of the results have 
> a ',' prepended and others do not.
> 
> My rarc file is:
> RA_FIELD_DELIMITER=','
> RA_PRINT_UNIX_TIME=yes
> 
> ra -s rate -r out/jan_19_out gives
> ...
> ,18.08,14.47
> ,20.05,16.04
> ,0.00,0.00
> ,39.05,22.80
> ...

	This appears to be a bug in that 

ra -s rate -r file (with no rarc or -F flag) outputs two fields rather than
three (one empty) as it tries to do with the RA_FIELD_DELIMITER=',' set.

> 
> while
> 
> ra -s spkts -r out/jan_19_out gives
> ...
> 14
> 1
> 1
> 2
> 1
> 30
> ...
> 
> And speaking of the 'rate' field, what do the two values mean?
> 

	Don't know, would have to look at the code (I don't think its in man
pages anywhere)

> Additionally, what is the second field of an ra query with no options?
> 

	The proto field in the ra man page:

       proto [options protocol]
           The proto indicator consists of two fields. The first  is  protocol
           specific and the designations are:
             m       -  MPLS encapsulated flow
             q       -  802.1Q encapsulated flow
             p       -  PPP over Enternet encapsulated flow
             E       -  Multiple encapsulations/tags
              s      -  Src TCP packet retransmissions
              d      -  Dst TCP packet retransmissions
              *      -  Both Src and Dst TCP retransmissions
              i      -  Src TCP packets out of order
              r      -  Dst TCP packets out of order
              &      -  Both Src and Dst packet out of order
               S     -  Src TCP Window Closure
               D     -  Dst TCP Window Closure
               @     -  Both Src and Dst Window Closure
               x     -  Src TCP Explicit Congestion Notification
               t     -  Dst TCP ECN
               E     -  Both Src and Dst ECN
                M    -  Multiple physical layer paths
                 I   -  ICMP event mapped to this flow
                  S  -  IP option Strict Source Route
                  L  -  IP option Loose Source Route
                  T  -  IP option Time Stamp
                  +  -  IP option Security
                  R  -  IP option Record Route
                  A  -  IP option Router Alert
                  O  -  multiple IP options set
                  E  -  unknown IP options set
                   F -  Fragments seen
                   f -  Partial Fragment
                   V -  Fragment overlap seen

           The  second field indicates the upper protocol used in the transac-
           tion.  This field will contain the first 4 characters of the  offi-
           cial  name  for  the  protocol used, as defined in RFC-1700.  Argus
           attempts to discovery the Realtime Transport Protocol, when  it  is
           being  used.   When  it encounters RTP, it will indicate its use in
           this field, with the string 'rtp'.  Use of  the  -n  option,  twice
           (-nn), will cause the actual protocol number to be displayed.


> /data/beancounter $ ra -r out/jan_19_out
> 1106110724,,udp,xxx.xxx.xxx.xxx,1948,->,xxx.xxx.xxx.xxx,1948,1,0,478,0,INT
> 1106110680,I,udp,xxx.xxx.xxx.xxx,->,xxx.xxx.xxx.xxx,netbi,6,0,1842,0,INT
> 
> Also, the -A flag will give byte counts of application data instead of 
> total byte size, is there any possibility of this being added as a field 
> option so we could have total bytes and application bytes on the same 
> output line?
> 
> Thanks,
> 
> Nick
> 
> 

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

More information about the argus mailing list