Argus management records
Carter Bullard
carter at qosient.com
Thu Nov 15 17:21:38 EST 2007
The dropped packets are reported by the libpcap interface, so you won't see them using ifconfig. Why there are reported drops is not always clear, but if it is chronic, you may need to modify something, either more machine, not having argus write to a file, etc .....
You should be able to graph it using "drop" but "sport" should do it too?
Carter
Carter Bullard
QoSient LLC
150 E. 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax
-----Original Message-----
From: "Esteban G" <infoape at gmail.com>
Date: Wed, 14 Nov 2007 11:13:34
To:"Carter Bullard" <carter at qosient.com>
Cc:Argus <argus-info at lists.andrew.cmu.edu>
Subject: Re: [ARGUS] Argus management records
Thanks for the response Carter. Just want to say that your work is
great and I really appreciate the efforts.
I didn't realize the management records were quite so rich. Out of
curiosity I started going through them for some of my collectors and
was surprised to see some "packets dropped". Should I see a similar
indicator of dropped packets in the output of ifconfig?
Also is this the correct command for graphing dropped packets:
ragraph sport -M 5m -r argusfile.gz -title "Dropped PAckets" - man
-Esteban
On Nov 12, 2007 7:40 AM, Carter Bullard <carter at qosient.com> wrote:
> Hey Esteban,
> Sorry for the delayed response.
> The man records contain the state of the probe, and we generate
> these every ARGUS_MAR_STATUS_INTERVAL, which is every
> 60 secs by default, ( you can specify another time in the argus.conf ).
> The clients use these are keep-alives, so that they know that their
> source of data is still there, whether it is generating FARs or not.
>
> The contents of the 128 byte management record currently are/is:
>
> unsigned int status, argusid, localnet, netmask, nextMrSequenceNum;
> struct ArgusTime startime, now;
> unsigned char major_version, minor_version, interfaceType,
> interfaceStatus;
> unsigned short reportInterval, argusMrInterval;
> unsigned long long pktsRcvd, bytesRcvd, timedrift;
>
> unsigned int records, flows, dropped, queue, output, clients;
> unsigned int memorybufs, memorybytes;
> unsigned short suserlen, duserlen;
> unsigned int thisid, record_len;
>
> and the purpose is to expose/externalize the key aspects of
> the performance of the argus/radium.
>
> Many of the objects are identification oriented, argusid, localnet,
> netmask, major_version, minor_version, interfaceType,
> FarReportInterval, MarReportInterva, suserlen, duserlen, and
> all help the clients to know what to expect, and if anything has
> changed with regard to the probe itself.
>
> The rest of the objects are metrics, and can be important. They
> include:
> startime, now; (reporting interval for this man record)
> pktsRcvd, bytesRcvd (probe load)
> timedrift (perceived drift from correct time, usually
> supplied by radium/ra* programs).
> records (number of records written out)
> flows (total number of flows tracked)
> dropped (number of input packets dropped by engine)
> queue (current number of flows being tracked)
> output (current number of records scheduled to be written)
> clients (number of registered output clients)
> memorybufs (number of buffers allocated)
> memorybytes (total number of bytes allocated)
> suserlen, duserlen (max user buffer capture size)
>
>
> from this data you should be able to tell if the argus/radium is
> healthy or not.
>
> When you print the contents of the mar record using ra*, the
> fields are mapped like the list below. There is no real justification
> for this, and so if you have a better way of mapping the Far and
> Mar Fields, please make suggestions, before the release!!!
>
> stime startime
> ltime now
> flgs blank
> proto 'man'
> saddr "queue count"
> sport "packets dropped"
> dir blank
> daddr "memory bufs"
> dport "registered clients"
> spkts "pkts received"
> dpkts "records written"
> sbytes "bytes received"
> dbytes "memory bytes"
> State "status"
>
>
> I know that these seems like chaos, so if you have any
> suggestion as to how to overload this, that would be great.
>
> Carter
>
>
>
>
> On Nov 8, 2007, at 2:55 PM, Esteban G wrote:
>
> > sorry meant to include the paste of the ra command:
> > ra -L0 -n -r <argus file> - man
> >
> > -esteban
> >
> >
> > On 11/8/07, Esteban G <infoape at gmail.com> wrote:
> >> Just out of curiosity what are we looking at when we see these
> >> records:
> >>
> >> StartTime Flgs Proto SrcAddr Sport Dir
> >> DstAddr Dport SrcPkts DstPkts SrcBytes DstBytes
> >> State
> >> 00:01:02.164051 man 1412 0
> >> 5930 1 44205 1625 18052533 3825435
> >> CON
> >> 00:02:02.168611 man 1835 0
> >> 7219 1 47569 3029 17959596 7166675
> >> CON
> >> 00:03:02.173056 man 1696 0
> >> 6968 1 61118 3603 30275159 10517483
> >> CON
> >>
> >>
> >> -esteban
> >>
> >
>
More information about the argus
mailing list