Connection Bytes

Peter Van Epp vanepp at sfu.ca
Wed Oct 4 10:56:34 EDT 2006


On Wed, Oct 04, 2006 at 01:58:29PM +0800, CS Lee wrote:
> Hi all,
> 
> Normally when we perform analysis using argus, we will have entry like this
> 
> 17:19:46.623049 6 222.64.79.60.3493 -> 1.2.3.4.80 4 3 *536 780* CON
> 17:19:53.598808 6 222.64.79.60.3493 -> 1.2.3.4.80 2 1 *420 668* CON
> 
> The bold numbers are the sbytes and dbytes, which is actually includes the
> header and i consider it as frame bytes, is it possible to only show the
> payload(application bytes) instead of the whole frame bytes?
> 
> By the way, I vote for libpcap base too :)
> 
> Cheers
> 
> 
> 
> 
> 
> -- 
> Best Regards,
> 
> CS Lee<geekooL[at]gmail.com>

	 Yep, if you add -s +sappbytes +dappbytes to the ra command you will get the payload only counts (in a quick look I didn't
see this in the ra man page though it may be there and I'm blind :-)). Adding -s -sbytes -s -dbytes will supress the payload
counts. Comparing the application and payload count ratios is a good way to find hosts with high error rate connections (a good
connection will be %5 or %10 different, I've seen ones with %50 difference because of something screwball in the machine's
stack, and that leaps out at you). 

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada



More information about the argus mailing list