racount status and its definition

Carter Bullard carter at qosient.com
Wed Jun 21 00:35:31 EDT 2006 

As a followup to the racount() discussion.   racount() is important as
a standalone tool, if only to verify that programs like racluster() are
doing the right thing.   If you take a huge file and aggregate/cluster
it based on say protocol, or src tos byte, or mac address matrix, or
if you want to split a file into a hundred little files, you  
occasionally
need to have some way of assuring that the merge or split was
successful and accounts for all the relevant traffic.

That was the original purpose of racount().  racount the original file,
racount the resulting file(s), and at least the total packets and total
bytes should agree (the source and destination counters maybe
different as the merge or split can rearrange the direction of a
record).

As a result, we can't replace racount() with a set of racluster()
commands, and be done with it.  But if racluster() provides a
a better way of counting, we should yeild to racluster().

the argus-2.0.6 racount(), using the -a option, would print out
totals broken out by protocol, but it only reported on  tcp, udp,
icmp, other ip,  and arp and "non-ip".   racluster() will
report on all the ip protocols possible, and if its not ip it will
continue to break it down, so reporting the ethernet type,
so it does a much better job.

Now, I still think there are a lot of different kinds of things to
count, so racount() does have a job.

Opinions/comments/suggestions all are welcome!!!

Carter



On Jun 20, 2006, at 11:04 AM, Carter Bullard wrote:

> Hey Robin et al.,
> You have become the target of anything racount() related ;o)
>
> So, in trying to understand if the "-M proto" option is useful,
> I realized that all of the old racount() functions are supported
> by racluster(), so I don't want to duplicate features, so I may
> end up redefining racount(), but keeping its default behavior.
> What I will do for now is leave it as it is, no -A support, but
> with the "-M addr" option and then figure out what to do after
> that based on the lists opinion.
>
> I use racount as a quick and dirty way of seeing how big is
> an argus data file, and to check if programs like racluster()
> preserve the counts when it aggregates records, so the
> default mode is great, but we can also generate the exact same
> output using racluster(), you just have to type more on the
> command line to get the output right.  Same goes for the old -a  
> option:
>
> The older racount() functions can be done in racluster() as:
>
>    racount -r file
>    racluster -r file -m srcid -s trans pkts spkts dpkts bytes  
> sbytes dbytes
>
>    racount -ar file
>    racluster -r file -m proto -s proto trans pkts spkts dpkts bytes  
> sbytes dbytes
>
> Now, with the '-M addr', we have a unique counting situation,
> and so that seems appropriate, and I think there should be more
> counting things to do, like ports, mac address types (vendor ids),
> that kind of thing.
>
> So, opinions?   If we could discuss the counting requirements, that
> might help define racount a bit.
>
> Carter
>

More information about the argus mailing list