racount status and its definition

Robin Gruyters r.gruyters at yirdis.nl
Wed Jun 21 03:21:49 EDT 2006 

Hi Carter,

At the moment we use the output of racount() for our monthly report to
customers. To show them how much data they have used. (by proto and total)

For me it doesn't matter if this is possible with racount() or racluster(),
if I just get the output done.
If this is possible with racount() and with the "-M addr" option, great!

The other options, like counts on ports etc, that would also be nice to
have.

Altough you say it is also possible with racluster(), but the outcome is
totally different what I get back from racount(). (I mean the numbers)

[racount]
# racount -ar /data2/argus/05/*/* - net 82.148.219.XXX/28
racount    records       total_pkts         src_pkts         dst_pkts      total_bytes        src_bytes        dst_bytes
    tcp    1443778         69225031         28344760         40880271      55494468479       7222126408      48272342071
    udp     280703           549026           293754           255272         86044190         35139486         50904704
   icmp      35102            47042            46966               76          3503635          3499223             4412
     ip      40441         16142558          6955365          9187193       4000450129       1192848404       2807601725
    sum    1800024         85963657         35640845         50322812      59584466433       8453613521      51130852912
[end racount]

[racluster]
# racluster -R /data2/argus/05 -m proto \
  -s proto trans pkts spkts dpkts bytes sbytes dbytes - net 82.148.219.XXX/28
    esp      1        1        1        0        310          310            0
    gre  40440 16142557  6955364  9187193 4000449819   1192848094   2807601725
    udp 283037   554632   296948   257684   86633957     35435077     51198880
    tcp 144666 69282162 28369630 40912532 3994126059   2934170533   1059955526
   icmp  36644    50347    50270       77    4126254      4121768         4486
[end racluster]

If you only check the "total bytes" on TCP packets. With racount() I get
55494468479 bytes and with racluster() 3994126059 bytes. That is a huge
difference.

Is there an explanation for this behaviour?

Regards,

Robin

On Tue, Jun 20, 2006 at 11:04:01AM -0400, Carter Bullard wrote:
> Hey Robin et al.,
> You have become the target of anything racount() related ;o)
> 
> So, in trying to understand if the "-M proto" option is useful,
> I realized that all of the old racount() functions are supported
> by racluster(), so I don't want to duplicate features, so I may
> end up redefining racount(), but keeping its default behavior.
> What I will do for now is leave it as it is, no -A support, but
> with the "-M addr" option and then figure out what to do after
> that based on the lists opinion.
> 
> I use racount as a quick and dirty way of seeing how big is
> an argus data file, and to check if programs like racluster()
> preserve the counts when it aggregates records, so the
> default mode is great, but we can also generate the exact same
> output using racluster(), you just have to type more on the
> command line to get the output right.  Same goes for the old -a option:
> 
> The older racount() functions can be done in racluster() as:
> 
>    racount -r file
>    racluster -r file -m srcid -s trans pkts spkts dpkts bytes sbytes  
> dbytes
> 
>    racount -ar file
>    racluster -r file -m proto -s proto trans pkts spkts dpkts bytes  
> sbytes dbytes
> 
> Now, with the '-M addr', we have a unique counting situation,
> and so that seems appropriate, and I think there should be more
> counting things to do, like ports, mac address types (vendor ids),
> that kind of thing.
> 
> So, opinions?   If we could discuss the counting requirements, that
> might help define racount a bit.
> 
> Carter
>

More information about the argus mailing list