field questions

Carter Bullard carter at qosient.com
Tue Oct 17 20:18:48 EDT 2006


Hey Christopher,
I've put comments inline.

Christopher Jones wrote:

> All,
>
> Is there a description somewhere of all the possible output fields of
> ra?  I have figured out most of them but a few fields still elude my
> understanding.  The following fields are the ones that I am not sure
> as to what they represent in a flow:
>
when a bunch of flows are merged together, aggregation stats are generated
and stored in the resulting merged record, so 'trans' (the number of 
transactions/
records combined to generate the record), avgdur (mean duration of 
aggregated
records), stddev (standard deviation of the duration of merged records),
mindur (minimum) and maxdur (maximum) durations in the records merged.

> trans
> avgdur
> stddev
> mindur
> maxdur

Some of the fields are available in all records, such as src and dst 
load (pkts/sec),
and src and dst intpkt (interpacket arrival times), which is available when
jitter support is enabled in the argus probe..

> [s|d]load
> ind
> [s|d]intpkt

Some are obsolete, such as ind (which is now flgs), and
srng, which printed out the source duration range, and
drng the dst duration range.

> srng
> drng

And some are specific to certain types of records.  The 'inode'
field is the 'intermediate node' and is only found in icmp mapped
flows, ie flows where an ICMP packet was generated as a result
of a packet within a tracked flow.  This field is the router
that generated the ICMP packet.   These flows have an 'I' in the
flags field when printed in ra(), and inode merging along with sttl
can be used to track traceroute data.

> inode
>
> Thanks for any help.
>
> Chris
>
Sure,

Carter



More information about the argus mailing list