help understand output (fwd)

Michael Hornung hornung at cac.washington.edu
Thu Mar 15 19:40:32 EDT 2007 

Any ideas about the units reported by the srate, drate, sjit, djit fields?

-Mike

---------- Forwarded message ----------
Date: Wed, 14 Mar 2007 09:29:50 -0700 (PDT)
From: Michael Hornung <hornung at cac.washington.edu>
To: argus-info at lists.andrew.cmu.edu
Subject: help understand output

Hi, I'm trying to absorb some argus results I'm seeing and I would love any 
feedback you care to offer.  I'm trying to generate network performance stats 
for the roughly 5 minute window encompassed by a given argus file.

The filename is 1173830402 and indicates the timestamp when the argus file was 
archived.  The pipeline I've chosen is:

racluster -M rmon -r 1173830402 -w - |   \
rasort -r - -w - -m pkts - 'src net X.Y.0.0/16 or src net X.Y.0.0/16' |  \
ra -r - -s saddr stime dur srate drate pkts sloss dloss sjit djit tcprtt -

What I'm attempting to do with the above is aggregate the flows from the one 
file using 'racluster', then use 'rasort' to sort the output stream by number 
of total flow packets and limit results to flows with source IP on the networks 
I'm examining, then lastly to use 'ra' to print the values I think are 
interesting.  First off, is what I've done a reasonable way to get these 
deetails for every flow in the file?

Here are the first few lines of output, and I have some questions below that:

      X.Y.41.50    15:55:35.565814 265.849501   107619.148  4909709.500 166922 
0        717     9657.000     7612.128     0.000000

      X.Y.59.54    15:55:35.528842 266.161310  2766199.500    81832.180 105633 
816         64    15169.226    17774.765     0.000000

     X.Y.39.244    15:55:35.562186 264.461433    66525.547  2836946.000 104869 
0        386    38966.000    28543.830     0.000000

      X.Y.40.15    15:55:35.529837 266.712496    77486.641  2527835.250 94988 
1       1107    26946.000    19721.859     0.000000

      X.Y.117.8    15:55:35.590168 181.982163    76109.609  3445644.000 80115 
0        342    37715.000    28914.062     0.000000

      X.Y.26.112    15:55:35.593296 262.440843  1409295.625   103432.859 70112 
38        189    79309.000    46967.357     0.000000

      X.Y.40.91    15:55:35.597797 265.680459    52282.656  1952823.500 68964 
0        300    16701.000    15050.079     0.000000

       X.Y.61.3    15:55:35.558065 266.818069    44189.512  1537505.000 60578 
0        310    32309.000    24219.612     0.000000

     X.Y.45.125    15:55:35.569448 266.890136    41935.457  1511283.125 58026 
0        258    26755.000    22366.359     0.000000

     X.Y.38.232    15:55:35.574330 265.466687   289928.406   538903.688 55949 
0          0    13978.000    12320.000

    X.Y.115.165    15:55:35.531332 265.404640  1517963.000    35730.168 54641 
70         27    18501.262    22818.404     0.000000

     X.Y.115.57    15:55:35.396544 266.015024  1459115.750    45962.309 54044 
231          2    21290.250    24470.000     0.000000

Questions:

How can the source packet rate (column 4) and destination packet rate (column 
5) be higher than the total number of packets for the given flow (column 6)?

Why does the third record from the bottom have nothing in the tcprtt (last) 
column?

Can I safely assume that the tcprtt for all the other records here is 0.000000 
because the TCP sessions were not *established* during the window I'm reporting 
on?

What are the units for the sjit and djit (jitter) fields?  They look too big to 
be milliseconds.

Are sjit and djit reporting the average for a given flow, or how is the jitter 
being characterized?

Thanks so much to those that can offer info.

-Mike

More information about the argus mailing list