zero flow duration?

Michael Hornung hornung at cac.washington.edu
Thu Oct 11 18:05:36 EDT 2007

Previous message (by thread): zero flow duration?
Next message (by thread): default interfaces to monitor
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

That makes sense.  Need more coffee.  I seem to have found one host using 
jumbo frames, as bytes was over 3k, but the vast majority are small bytes 
supporting the single packet explanation.

-Mike

On Thu, 11 Oct 2007 at 18:00, Carter Bullard wrote:

|Yep, If it only has 1 packet in the flow record, then it will have a 0.0
|duration.
|Or there is a bug (which I hope not ;o)
|Carter
|
|On Oct 11, 2007, at 5:55 PM, Russell Fulton wrote:
|
|> 
|> 
|> Michael Hornung wrote:
|> > I'm trying to look at average bandwidth utilization per host offering
|> > services on a segment I'm monitoring.  To do so I'm running the
|> > following on an argus file:
|> > 
|> > racluster -r file -M norep -w - -- ip |  \
|> > ra -s daddr bytes dur -- 'dst net (blah)'
|> > 
|> > In many of the records there is a byte count but the flow duration
|> > reads "0.000000".  Can you explain in what curcumstances a flow has a
|> > duration of 0?  My guess is that the given flow did not end within the
|> > file I'm passing through racluster?
|> > 
|> single packet flows ?
|> 
|> Russell
|> 
|

Previous message (by thread): zero flow duration?
Next message (by thread): default interfaces to monitor
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the argus mailing list