"version 4.1" files ? + file size remark

Carter Bullard carter at qosient.com
Mon Feb 12 20:16:53 EST 2007 

Hey Stephane,
No the version should revert to 3.0.  The 4.1 is an accidental carryover
from gargoyle, which is argus-4.0.  I'll change that right now!!!

The size change is predominately a result of additional data being  
stored
for TCP and additional timestamping.  This data is not probably
interesting for everyone, so we may want to consider another default
set of metrics for TCP.  Do an experiment with rastrip(), and take  
out the
tcp/net structure:

    rastrip -r converted-argus-3.0-data -M -net -w converted- 
argus-3.0-strip

And see if you get significant reduction.  By throwing away this data,
what you lose is TCP state, which is important, performance data, like
round trip times, the window stats, such as window sizes, and ack'd  
bytes,
base sequence numbers.  This structure will have the OS fingerprinting
data, which will be in the next round.

I can make a default TCP data struct so that argus reports less  
information,
and have it report TCP performance if you want it to.

Also the adaptive compression for data can be improved.  We currently
report time as 16 bytes, start time secs and usecs as unsigned ints  
(8 bytes)
and the stop times (another 8 bytes).  We could do it in 12 bytes for  
most
records, and that would be helpful.

In the next round, argus-3.1, we'll start to put in file context  
compression,
which will remove objects that are repetitive, such as the source id,  
and
we'll be able to reduce timestamps by a huge amount.  I'd like to put  
this
stuff in in the next round.

What do you think?


Carter


On Feb 12, 2007, at 2:36 PM, Stéphane Peters wrote:

> Hello Carter,
>
> may I add my 5 cents before the last day...
>
> Will you keep version numbering "4.1" for files generated by an  
> argus-3.0 client for the public release ?
> I was surprised not to find V3 files when working on both types files.
>
> Here are some commands in my test directory:
>
>> [argus at argus-fedora t]% ra3 -w converted-argus-3.0-data -nr  
>> argus-2.0.6-data -
>> [argus at argus-fedora t]% file *data
>> argus-2.0.6-data:         Argus data - version 2.0
>> converted-argus-3.0-data: Argus data - version 4.1
>> [argus at argus-fedora t]% ls -l
>> total 238288
>> -rw-r--r--  1 argus argusg  79131992 jan 29 12:54 argus-2.0.6-data
>> -rw-r--r--  1 argus argusg  29385568 jan 29 12:54 argus-2.0.6-data.gz
>> -rw-r--r--  1 argus argusg       239 fév  9 22:58 argus-2.0.6- 
>> data.gz.racount
>> -rw-r--r--  1 argus argusg       235 fév  9 22:47 argus-2.0.6- 
>> data.racount
>> -rw-r--r--  1 argus argusg 105565848 fév  9 22:48 converted- 
>> argus-3.0-data
>> -rw-r--r--  1 argus argusg  29640207 fév  9 22:48 converted- 
>> argus-3.0-data.gz
>> -rw-r--r--  1 argus argusg       239 fév  9 22:48 converted- 
>> argus-3.0-data.racount
>> [argus at argus-fedora t]%
>
> I also was surprised to see the growth of my files (33%).
> But after compression, the difference of size is fairly  
> unnoticeable (<1%).
>
>
> Regards,
>
> -- 
> Stephane.Peters at forem.be
>
>

Carter Bullard
CEO/President
QoSient, LLC
150 E. 57th Street Suite 12D
New York, New York 10022

+1 212 588-9133 Phone
+1 212 588-9134 Fax


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20070212/bd6f206e/attachment.html>

More information about the argus mailing list