racount status and its definition

[Carter Bullard]

Hmmm, are you a bash shell user or a csh?
Do me a favor and try something like this (assuming bash)

    % for i in /data2/argus/05/*/* ; do echo $i; racluster -r $i -m  
proto -s proto trans; done

and see if something doesn't look strange.

Carter

On Jun 21, 2006, at 4:44 AM, Robin Gruyters wrote:

> Hello Carter,
>
> I have just ran racluster() with "-r" option and I get the same  
> output.
> (without any errors)
>
> [racluster]
> # racluster -r /data2/argus/05/*/* -m proto \
>  -s proto trans pkts spkts dpkts bytes sbytes dbytes - net  
> 82.148.219.32/28
>    esp      1        1        1        0        310           
> 310            0
>    gre  40440 16142557  6955364  9187193 4000449819   1192848094    
> 2807601725
>    udp 283037   554632   296948   257684   86633957      
> 35435077     51198880
>    tcp 144666 69282162 28369630 40912532 3994126059   2934170533    
> 1059955526
>   icmp  36644    50347    50270       77    4126254       
> 4121768         4486
> [end racluster]
>
> Regards,
>
> Robin
>
> On Wed, Jun 21, 2006 at 03:32:49AM -0400, Carter Bullard wrote:
>> Hey Robin,
>>    Looks like somethings up.   Try calling racluster with the -r /
>> data2/argus/05/*/*.
>> I suspect that its getting some kind of error on one of the files,
>> and is stopping,
>> especially since your getting 1/10th the number of tcp transactions
>> (144666 vs 1443778).
>> I remember that you had a bug report with toooo many filenames, if
>> you're
>> still getting that problem, we'll have to try to figure out what is
>> causing racluster()
>> issues.
>>
>> Sorry for the problems,
>>
>> Carter
>>
>>
>> On Jun 21, 2006, at 3:21 AM, Robin Gruyters wrote:
>>
>>> Hi Carter,
>>>
>>> At the moment we use the output of racount() for our monthly  
>>> report to
>>> customers. To show them how much data they have used. (by proto and
>>> total)
>>>
>>> For me it doesn't matter if this is possible with racount() or
>>> racluster(),
>>> if I just get the output done.
>>> If this is possible with racount() and with the "-M addr" option,
>>> great!
>>>
>>> The other options, like counts on ports etc, that would also be
>>> nice to
>>> have.
>>>
>>> Altough you say it is also possible with racluster(), but the
>>> outcome is
>>> totally different what I get back from racount(). (I mean the  
>>> numbers)
>>>
>>> [racount]
>>> # racount -ar /data2/argus/05/*/* - net 82.148.219.XXX/28
>>> racount    records       total_pkts         src_pkts
>>> dst_pkts      total_bytes        src_bytes        dst_bytes
>>>    tcp    1443778         69225031         28344760
>>> 40880271      55494468479       7222126408      48272342071
>>>    udp     280703           549026           293754
>>> 255272         86044190         35139486         50904704
>>>   icmp      35102            47042            46966
>>> 76          3503635          3499223             4412
>>>     ip      40441         16142558          6955365
>>> 9187193       4000450129       1192848404       2807601725
>>>    sum    1800024         85963657         35640845
>>> 50322812      59584466433       8453613521      51130852912
>>> [end racount]
>>>
>>> [racluster]
>>> # racluster -R /data2/argus/05 -m proto \
>>>  -s proto trans pkts spkts dpkts bytes sbytes dbytes - net
>>> 82.148.219.XXX/28
>>>    esp      1        1        1        0        310
>>> 310            0
>>>    gre  40440 16142557  6955364  9187193 4000449819   1192848094
>>> 2807601725
>>>    udp 283037   554632   296948   257684   86633957
>>> 35435077     51198880
>>>    tcp 144666 69282162 28369630 40912532 3994126059   2934170533
>>> 1059955526
>>>   icmp  36644    50347    50270       77    4126254
>>> 4121768         4486
>>> [end racluster]
>>>
>>> If you only check the "total bytes" on TCP packets. With racount()
>>> I get
>>> 55494468479 bytes and with racluster() 3994126059 bytes. That is a
>>> huge
>>> difference.
>>>
>>> Is there an explanation for this behaviour?
>>>
>>> Regards,
>>>
>>> Robin
>>>
>>> On Tue, Jun 20, 2006 at 11:04:01AM -0400, Carter Bullard wrote:
>>>> Hey Robin et al.,
>>>> You have become the target of anything racount() related ;o)
>>>>
>>>> So, in trying to understand if the "-M proto" option is useful,
>>>> I realized that all of the old racount() functions are supported
>>>> by racluster(), so I don't want to duplicate features, so I may
>>>> end up redefining racount(), but keeping its default behavior.
>>>> What I will do for now is leave it as it is, no -A support, but
>>>> with the "-M addr" option and then figure out what to do after
>>>> that based on the lists opinion.
>>>>
>>>> I use racount as a quick and dirty way of seeing how big is
>>>> an argus data file, and to check if programs like racluster()
>>>> preserve the counts when it aggregates records, so the
>>>> default mode is great, but we can also generate the exact same
>>>> output using racluster(), you just have to type more on the
>>>> command line to get the output right.  Same goes for the old -a
>>>> option:
>>>>
>>>> The older racount() functions can be done in racluster() as:
>>>>
>>>>   racount -r file
>>>>   racluster -r file -m srcid -s trans pkts spkts dpkts bytes sbytes
>>>> dbytes
>>>>
>>>>   racount -ar file
>>>>   racluster -r file -m proto -s proto trans pkts spkts dpkts bytes
>>>> sbytes dbytes
>>>>
>>>> Now, with the '-M addr', we have a unique counting situation,
>>>> and so that seems appropriate, and I think there should be more
>>>> counting things to do, like ports, mac address types (vendor ids),
>>>> that kind of thing.
>>>>
>>>> So, opinions?   If we could discuss the counting requirements, that
>>>> might help define racount a bit.
>>>>
>>>> Carter
>>>>
>>>
>>
>> Carter Bullard
>> CEO/President
>> QoSient, LLC
>> 150 E. 57th Street Suite 12D
>> New York, New York 10022
>>
>> +1 212 588-9133 Phone
>> +1 212 588-9134 Fax
>>
>>
>

Carter Bullard
CEO/President
QoSient, LLC
150 E. 57th Street Suite 12D
New York, New York 10022

+1 212 588-9133 Phone
+1 212 588-9134 Fax