rasort -m loss won't work

Carter Bullard carter at qosient.com
Tue Apr 17 10:48:00 EDT 2007 

Hey Wolfgang,
Found a few bugs in the loss reporting.  I'll have a refresh of rc.42  
up today.
I'm not changing the rc version number, as this is suppose to be the  
last
candidate, so I'm just refreshing the same version number.  I know its a
bit confusing, but its an interesting state, "code freeze, with code  
changing".
Not a desirable state to be in, and possibly unavoidable at some stage
in the game.

And I fixed the problem with keywords embedded in the filter for  
ragraph().
I'll have the new code up in a few hours.

Carter



On Apr 14, 2007, at 5:30 AM, Wolfgang Barth wrote:

> Carter,
>
>> I put sorting on loss, ploss, psloss and pdloss into the new
>> code that I put on the server just now.  Haven't gotten to the
>> time filter bugs yet, hopefully I'll have that by Monday.
>>
>> Hope all is most excellent,
>
> Most may be excellent ;-) Sorting loss now works, but I need a  
> little help
> in unterstanding your metric calculating percents of loss:
>
> 1) racluster:
> racluster -m saddr/23 proto -r argus-2007-04-13-00:00:00.log -w -  
> ip | \
>    rasort -m ploss -s saddr proto ploss loss pkts sploss sloss spkts \
>              dploss dloss dpkts | head -10
>
> SrcAddr   Proto pDst_Loss Loss  TotPkts  pSrc_Loss SrcLoss   
> SrcPkts  pDst_Loss    DstLoss  DstPkts
> !!!              ^^^^ should be 'p_Loss'
>
> 172.17.254.0 tcp 25.000   4       26 22.222   4       14       
> 0.000          0       12
> 172.17.192.0 tcp 13.333 800    10000  0.000   0     4800      
> 13.333        800     5200
>
> first line:
>    26 pkts total, 4 loss, 25% ???
>    14 pkts src, 4 src loss, 22.2222 %?
>
> second line:
>    10000 pkts total, 800 loss, 13.333 %
>
>
> 2) plain ra:
> ra -r /var/log/argus/argus.log -w - ip | rasort -m ploss -s saddr  
> proto \
>    ploss loss pkts sploss sloss spkts dploss dloss dpkts | head -10
>
> SrcAddr  Proto  pDst_Loss Loss  TotPkts  pSrc_Loss SrcLoss   
> SrcPkts  pDst_Loss    DstLoss  DstPkts
> 172.17.129.169 tcp  0.000  9        9     50.000   9        9       
> 0.000          0        0
>
> 9 pkts total, 9 loss, 50% ???
>
> 3) little bug in ragraph:
>
> ragraph bytes dport -M 1m -r /var/log/argus/argus.log - pkts gt 100
> rabins[25451]: 2007-04-14 11:21:55 spkts dpkts gt 100 filter syntax  
> error
>
> It seems your parsing in ragraph did not stop at '-' and ragraph is
> substituting pkts to 'spkts dpkts'.
>
> Another question: why did you not increment rc.42? Do I need a  
> towel? ;-)
>
> Wolfgang
> -- 
> <wob (at) swobspace de> * http://www.swobspace.de
>

More information about the argus mailing list