rasort -m loss won't work

[Wolfgang Barth]

Carter,

> I put sorting on loss, ploss, psloss and pdloss into the new
> code that I put on the server just now.  Haven't gotten to the
> time filter bugs yet, hopefully I'll have that by Monday.
> 
> Hope all is most excellent,

Most may be excellent ;-) Sorting loss now works, but I need a little help
in unterstanding your metric calculating percents of loss:

1) racluster:
racluster -m saddr/23 proto -r argus-2007-04-13-00:00:00.log -w - ip | \
   rasort -m ploss -s saddr proto ploss loss pkts sploss sloss spkts \
             dploss dloss dpkts | head -10

SrcAddr   Proto pDst_Loss Loss  TotPkts  pSrc_Loss SrcLoss  SrcPkts  pDst_Loss    DstLoss  DstPkts 
!!!              ^^^^ should be 'p_Loss'

172.17.254.0 tcp 25.000   4       26 22.222   4       14      0.000          0       12
172.17.192.0 tcp 13.333 800    10000  0.000   0     4800     13.333        800     5200

first line: 
   26 pkts total, 4 loss, 25% ???
   14 pkts src, 4 src loss, 22.2222 %?

second line:
   10000 pkts total, 800 loss, 13.333 %


2) plain ra:
ra -r /var/log/argus/argus.log -w - ip | rasort -m ploss -s saddr proto \
   ploss loss pkts sploss sloss spkts dploss dloss dpkts | head -10

SrcAddr  Proto  pDst_Loss Loss  TotPkts  pSrc_Loss SrcLoss  SrcPkts  pDst_Loss    DstLoss  DstPkts 
172.17.129.169 tcp  0.000  9        9     50.000   9        9      0.000          0        0

9 pkts total, 9 loss, 50% ???

3) little bug in ragraph:

ragraph bytes dport -M 1m -r /var/log/argus/argus.log - pkts gt 100
rabins[25451]: 2007-04-14 11:21:55 spkts dpkts gt 100 filter syntax error

It seems your parsing in ragraph did not stop at '-' and ragraph is
substituting pkts to 'spkts dpkts'.

Another question: why did you not increment rc.42? Do I need a towel? ;-)

Wolfgang
-- 
<wob (at) swobspace de> * http://www.swobspace.de