help understand output (fwd)

Carter Bullard carter at qosient.com
Fri Mar 16 02:33:55 EDT 2007 

Hey Mike,
Ra* output can/does generate a Label, by default it should be the  
first output
line ("-L 0").  The label does have some units in them, and some of  
the names
  are informative, like bytes vs bps, etc ...

srate, drate are in bits per second (bps).  sload and dload are  
packets per
second (pps).

No tcprtt for a tcp flow indicates that the probe did not see the  
syn / synack / ack
voilley.  Records with the actual value may be in an earlier file.

When you aggregate records together, different fields have differing  
merge
algorithms.  Tcprtt does not survive this type of merging, so it goes  
to zero.

Interpacket arrival times and jitter (which is really stddev (sqr  
root of jitter) are
in microseconds.  intpkt, sintpkt, dintpkt, sintpktact, dintpktact,  
sintpktidl and
dintpktidl are means of interpacket arrival times during the  
observation period.
The sjit, djit, sjitact, djitact, sjitidl, djitidl, are standard  
deviations for the means.
Jitter is reported as a stddev, so that it can be at the same  
relative scale as the
mean.  When reporting variance on numbers that are very large or  
small, the
numbers get really out there really quickly, so I'm reporting the  
square root of
the variance.  The number of packets - 1 is the N of the mean and std  
dev.

When you merge records, these interpacket arrival times and std  
deviations
are all merged correctly, ie you get the mean of the means, and we do  
a good
job of getting the std devs merged (recover the sums of squares,  
accumulate
them from the two records that are being merged, and then recalculate  
a std
dev).

Carter



On Mar 15, 2007, at 7:40 PM, Michael Hornung wrote:

> Any ideas about the units reported by the srate, drate, sjit, djit  
> fields?
>
> -Mike
>
> ---------- Forwarded message ----------
> Date: Wed, 14 Mar 2007 09:29:50 -0700 (PDT)
> From: Michael Hornung <hornung at cac.washington.edu>
> To: argus-info at lists.andrew.cmu.edu
> Subject: help understand output
>
> Hi, I'm trying to absorb some argus results I'm seeing and I would  
> love any feedback you care to offer.  I'm trying to generate  
> network performance stats for the roughly 5 minute window  
> encompassed by a given argus file.
>
> The filename is 1173830402 and indicates the timestamp when the  
> argus file was archived.  The pipeline I've chosen is:
>
> racluster -M rmon -r 1173830402 -w - |   \
> rasort -r - -w - -m pkts - 'src net X.Y.0.0/16 or src net X.Y. 
> 0.0/16' |  \
> ra -r - -s saddr stime dur srate drate pkts sloss dloss sjit djit  
> tcprtt -
>
> What I'm attempting to do with the above is aggregate the flows  
> from the one file using 'racluster', then use 'rasort' to sort the  
> output stream by number of total flow packets and limit results to  
> flows with source IP on the networks I'm examining, then lastly to  
> use 'ra' to print the values I think are interesting.  First off,  
> is what I've done a reasonable way to get these deetails for every  
> flow in the file?
>
> Here are the first few lines of output, and I have some questions  
> below that:
>
>      X.Y.41.50    15:55:35.565814 265.849501   107619.148   
> 4909709.500 166922 0        717     9657.000     7612.128     0.000000
>
>      X.Y.59.54    15:55:35.528842 266.161310  2766199.500     
> 81832.180 105633 816         64    15169.226    17774.765     0.000000
>
>     X.Y.39.244    15:55:35.562186 264.461433    66525.547   
> 2836946.000 104869 0        386    38966.000    28543.830     0.000000
>
>      X.Y.40.15    15:55:35.529837 266.712496    77486.641   
> 2527835.250 94988 1       1107    26946.000    19721.859     0.000000
>
>      X.Y.117.8    15:55:35.590168 181.982163    76109.609   
> 3445644.000 80115 0        342    37715.000    28914.062     0.000000
>
>      X.Y.26.112    15:55:35.593296 262.440843  1409295.625    
> 103432.859 70112 38        189    79309.000    46967.357     0.000000
>
>      X.Y.40.91    15:55:35.597797 265.680459    52282.656   
> 1952823.500 68964 0        300    16701.000    15050.079     0.000000
>
>       X.Y.61.3    15:55:35.558065 266.818069    44189.512   
> 1537505.000 60578 0        310    32309.000    24219.612     0.000000
>
>     X.Y.45.125    15:55:35.569448 266.890136    41935.457   
> 1511283.125 58026 0        258    26755.000    22366.359     0.000000
>
>     X.Y.38.232    15:55:35.574330 265.466687   289928.406    
> 538903.688 55949 0          0    13978.000    12320.000
>
>    X.Y.115.165    15:55:35.531332 265.404640  1517963.000     
> 35730.168 54641 70         27    18501.262    22818.404     0.000000
>
>     X.Y.115.57    15:55:35.396544 266.015024  1459115.750     
> 45962.309 54044 231          2    21290.250    24470.000     0.000000
>
> Questions:
>
> How can the source packet rate (column 4) and destination packet  
> rate (column 5) be higher than the total number of packets for the  
> given flow (column 6)?
>
> Why does the third record from the bottom have nothing in the  
> tcprtt (last) column?
>
> Can I safely assume that the tcprtt for all the other records here  
> is 0.000000 because the TCP sessions were not *established* during  
> the window I'm reporting on?
>
> What are the units for the sjit and djit (jitter) fields?  They  
> look too big to be milliseconds.
>
> Are sjit and djit reporting the average for a given flow, or how is  
> the jitter being characterized?
>
> Thanks so much to those that can offer info.
>
> -Mike
>

More information about the argus mailing list