rapath() man page for review
Carter Bullard
carter at qosient.com
Tue Oct 16 00:13:02 EDT 2007
Gentle people,
I'm including the new rapath() manpage. This program prints
traceroute() data
that is extracted from argus data streams. Because argus maps ICMP
traffic to the parent flow that generated it, argus clients can recreate
traceroute information. I find it very useful for recovering topology data,
and doing path integrity checks when something does a lot traceroutes.
The most important use of this program is to have path information archived
in a central location, coexisting with real network traffic summaries,
so that
you can correlate changes in path with changes in user traffic.
In finishing support for rapath(), I added anonymization for the data that
argus generates here, so, intermediate router addresses are anonymized
by default.
Comments are very welcome,
Carter
RAPATH(1)
RAPATH(1)
NAME
rapath - print traceroute path information from argus(8) data.
COPYRIGHT
Copyright (c) 2000-2007 QoSient. All rights reserved.
SYNOPSIS
rapath [-A] [raoptions]
DESCRIPTION
Rapath reads argus data from an argus-data source, and
generates the
path information that can be formulated from flows that
experience ICMP
responses. When a packet stimulates the creation of an ICMP
response,
for whatever reason, the intermediate node that generates
the ICMP
packet is, by definition, on the path. Argus data
perserves this
intermediate node address, and rapath uses this information to
generate
path information, for arbitrary IP network traffic. Rapath is
princi-
pally designed to recover traceroute.1 traffic, so that if a
trace is
done in the network, argus will pick it up and record the
intermediate
nodes and the RTT for the volleys. However the method is
generalized
such that it also picks up routing loop conditions,
when they exist in the observed packet stream.
Rapath will generate argus flow records that have the src
address, dst
address and src ttl of the transmitted packet, aggregated so
that the
average duration, standard deviation, max and min rtt's are
preserved.
The most accurate estimate of the actual Round-Trip Time (RTT)
between
a src IP address and an ICMP based intermediate node is the
MinDur
field. As the number of samples gets larger, the MinDur
field
approaches the theoretical best case minimum RTT. RTT's
above this
value, will include variations in network and device delay.
When used in conjunciton with racluster, path information to
and from
CIDR based network addresses can be calculated, so that traces
to mul-
tiple machines in the same subnet can be grouped together.
The output of rapath can be piped into ranonymize.1, in order to
share
path performance information without divulging the actual
addresses of
intermidate routers.
OPTIONS
Rapath, like all ra based clients, supports a number of ra
options
including filtering of input argus records through a terminating
filter
expression. See ra(1) for a complete description of ra
options. rap-
ath(1) specific options are:
-A Draw a description of the path with a legend.
INVOCATION
A sample invocation of rapath(1). This call reads argus(8)
data from
inputfile and generates any path information, based on src and
dst IP
addresses, and writes the results to stdout. Notice that even
with only
12 samples, the MinDur field is in sorted order, where as the
Mean and
MaxDur do not reflect sorted values.
rapath -r /tmp/ra.out - icmpmap and src ttl lt 20
SrcAddr Dir DstAddr Inode sTtl
AvgDur StdDev MaxDur MinDur Trans
207.237.36.98 -> 134.207.10.73 10.22.32.1 1
0.007793 0.004256 0.015120 0.004814 12
207.237.36.98 -> 134.207.10.73 208.59.246.1 2
0.008504 0.003251 0.015473 0.005943 12
207.237.36.98 -> 134.207.10.73 207.172.19.110 3
0.008016 0.002446 0.015037 0.006243 12
207.237.36.98 -> 134.207.10.73 4.78.132.5 4
0.009951 0.004558 0.022182 0.006406 12
207.237.36.98 -> 134.207.10.73 4.68.16.75 5
0.013511 0.015643 0.062595 0.006955 12
207.237.36.98 -> 134.207.10.73 4.68.110.234 6
0.008881 0.002118 0.012951 0.007014 6
207.237.36.98 -> 134.207.10.73 204.255.173.53 6
0.010842 0.004799 0.018135 0.007110 6
207.237.36.98 -> 134.207.10.73 152.63.3.109 7
0.008853 0.001638 0.011440 0.007382 5
207.237.36.98 -> 134.207.10.73 152.63.3.165 7
0.008455 0.000889 0.010081 0.007496 7
207.237.36.98 -> 134.207.10.73 152.63.25.38 8
0.015877 0.002696 0.023995 0.013639 12
207.237.36.98 -> 134.207.10.73 152.63.39.173 9
0.015761 0.002123 0.022057 0.013715 12
207.237.36.98 -> 134.207.10.73 157.130.49.2 10
0.022892 0.021648 0.090687 0.014434 12
207.237.36.98 -> 134.207.10.73 138.18.1.7 11
0.018387 0.001137 0.021117 0.017082 12
207.237.36.98 -> 134.207.10.73 138.18.23.36 12
0.020205 0.002439 0.025719 0.017894 12
207.237.36.98 -> 134.207.10.73 138.18.23.35 13
0.019117 0.000912 0.020662 0.017673 12
This sample invocation of rapath(1) prints out a graph of the
path,
suppressing the output of the actual node information (-q).
rapath -qA -r /tmp/ra.out - icmpmap and src ttl lt 20
A -> B -> C -> D -> E -> [F,G] -> [H,I] -> J -> K -> L -> M -> N -> O
SEE ALSO
ra(1), rarc(5), argus(8),
FILES
AUTHORS
Carter Bullard (carter at qosient.com).
BUGS
07 November 2000
RAPATH(1)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20071016/55f88a7d/attachment.html>
More information about the argus
mailing list