Measuring traffic (confused by -M rmon parameter)
carter at qosient.com
carter at qosient.com
Fri Jun 1 19:39:49 EDT 2007
Indeed, that is what the "-M rmon" mode does. It converts flow data to object data, which looks like a doubling, if you misinterprete the data. Until you have a bit more experience, use the "-M rmon" option with aggregators, like racluster() and rabins().
Compare racluster with and with the option:
racluster -r outfile - net 10.52.32.215/20 and net 10.22.97.10/20 -
L0
racluster -M rmon -m saddr -s stime dur saddr spkts dpkts sbytes dbytes -r outfile - net 10.52.32.215/20 and net 10.22.97.10/20 -
L0
Carter
Carter Bullard
QoSient LLC
150 E. 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax
-----Original Message-----
From: Robert Leyba <r_leyba14 at yahoo.com>
Date: Fri, 1 Jun 2007 04:54:11
To:argus-info at lists.andrew.cmu.edu
Subject: [ARGUS] Measuring traffic (confused by -M rmon parameter)
We'd like to measure the network traffic between two of our vlans. We are
quite confused by the -M rmon parameter. In our example below, I sent 4 ping
packets from one host to another. Doing a simple ra and racount vs one with
the -M rmon switch set, it looks like the one with the -M rmon is counting the
packets twice. Note how the timestamps of the packet transmission appears
twice.
What would be the correct procedure?
Thanks
--robert
root at cpocts:/tmp# ra -r outfile - net 10.52.32.215/20 and net 10.22.97.10/20 -
L0
StartTime Flgs Proto SrcAddr Sport Dir
DstAddr Dport SrcPkts DstPkts SrcBytes DstBytes State
14:35:54.112424 e icmp 10.22.97.107 <->
10.52.32.215 1 1 74 74 ECO
14:35:55.114070 e icmp 10.22.97.107 <->
10.52.32.215 1 1 74 74 ECO
14:35:56.114940 e icmp 10.22.97.107 <->
10.52.32.215 1 1 74 74 ECO
14:35:57.116779 e icmp 10.22.97.107 <->
10.52.32.215 1 1 74 74 ECO
root at cpocts:/tmp# ra -M rmon -r outfile - net 10.52.32.215/20 and net
10.22.97.10/20 -L0
StartTime Flgs Proto Host Sport Dir
DstAddr Dport OutPkts InPkts OutBytes InBytes State
14:35:54.112424 e icmp 10.22.97.107 <->
10.52.32.215 1 1 74 74 ECO
14:35:54.112424 e icmp 10.52.32.215 <->
10.22.97.107 1 1 74 74 ECO
14:35:55.114070 e icmp 10.22.97.107 <->
10.52.32.215 1 1 74 74 ECO
14:35:55.114070 e icmp 10.52.32.215 <->
10.22.97.107 1 1 74 74 ECO
14:35:56.114940 e icmp 10.22.97.107 <->
10.52.32.215 1 1 74 74 ECO
14:35:56.114940 e icmp 10.52.32.215 <->
10.22.97.107 1 1 74 74 ECO
14:35:57.116779 e icmp 10.22.97.107 <->
10.52.32.215 1 1 74 74 ECO
14:35:57.116779 e icmp 10.52.32.215 <->
10.22.97.107 1 1 74 74 ECO
root at cpocts:/tmp# racount -M rmon -r outfile - net 10.52.32.215/20 and net
10.22.97.10/20 -L0
racount records total_pkts src_pkts dst_pkts
total_bytes src_bytes dst_bytes
sum 5 16 8 8
1184 592 592
root at cpocts:/tmp# racount -r outfile - net 10.52.32.215/20 and net
10.22.97.10/20 -L0
racount records total_pkts src_pkts dst_pkts
total_bytes src_bytes dst_bytes
sum 5 8 4 4
592 296 296
More information about the argus
mailing list