ratop
CS Lee
geek00l at gmail.com
Mon Oct 22 02:24:49 EDT 2007
Hi Carter,
First of all, congratulations for the argus 3.0 release, and I'm looking
forward for the client suite to reach that state.
For ratop question, yes, it is over 1000 records per second.
The explanation of radark is brilliant. And I have question regarding it, I
tried the command in the radark -
Here's my data -
ra -nnr loadbalance.arg - ip
19:33:06.063023 e 6 10.0.0.46.36024 ->
216.67.244.22.80 3 3 629 198 RST
19:33:27.653232 e 6 10.0.0.46.45640 ->
216.67.244.22.80 2 2 140 138 RST
19:33:57.899913 e 6 10.0.0.46.2540 ->
216.67.244.22.80 2 1 108 60 RST
19:33:58.907789 e 6 10.0.0.46.2541 ->
216.67.244.22.80 2 1 108 60 RST
19:33:59.915817 e 6 10.0.0.46.2542 ->
216.67.244.22.80 2 1 108 60 RST
19:34:00.923744 e 6 10.0.0.46.2543 ->
216.67.244.22.80 2 1 108 60 RST
19:34:01.931729 e 6 10.0.0.46.2544 ->
216.67.244.22.80 2 1 108 60 RST
19:34:02.939714 e 6 10.0.0.46.2545 ->
216.67.244.22.80 2 1 108 60 RST
Then I tried -
racluster -M norep -r loadbalance.arg -w loadbalance.racluster
racluster -M norep rmon -m smac saddr daddr -r loadbalance.racluster -
appbytes gt 0
19:33:06.063023 e ip 10.0.0.46 <->
216.67.244.22 3 3 629 198 CON
19:33:06.063023 e ip 216.67.244.22 <->
10.0.0.46 3 3 198 629 CON
I'm pretty clear until this part. 10.0.0.0/24 is the local net.
The first call to racluster() generates the list of src and dst IP addresses
for flows that had some form of user data exchanged, creating two entries
for each set of src/dst IP pairs (using the -M rmon we remove the src and
dst semanitcs by creating entries (A -> B and B -> A).
But when I do -
racluster -M norep rmon -m smac saddr daddr -r loadbalance.racluster -w - -
appbytes gt 0 | racluster -L0 -m smac saddr -s +smac - src net
10.0.0.0/24and not dst net
10.0.0.0/24 and src pkts gt 0
StartTime Flgs Proto SrcAddr Sport Dir
DstAddr Dport SrcPkts DstPkts SrcBytes DstBytes State
SrcMac
19:33:06.063023 e ip 10.0.0.46 <->
0.0.0.0 3 3 629 198 CON
0:1b:77:5b:f4:3f
19:33:06.063023 e ip 10.0.0.46 <->
0.0.0.0 3 3 198 629 CON
0:50:e8:2:3d:ca
For me it doesn't look right especially the second record. I'm not clear
about the purpose of second parsing.
Thanks.
On 10/7/07, Carter Bullard <carter at qosient.com> wrote:
>
> Hey CS Lee,No, unless your processing 1000's of records per second.
> Use ^G to display the processing stats at the bottom of the
> screen. How records per second are you processing?
>
> Carter
>
> On Oct 6, 2007, at 1:08 AM, CS Lee wrote:
>
> Hi all,
>
> I'm running argus dev on Ubuntu 7.04, and using ratop to monitor the
> traffic in realtime. Is it normal that ratop utilizes lots of resources as I
> have this -
>
> PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
> 14256 root 25 0 25572 19m 1164 R 98 0.9 1273:40 ratop
>
>
>
> --
> Best Regards,
>
> CS Lee<geekooL[at]gmail.com>
>
> http://geek00l.blogspot.com
>
>
>
--
Best Regards,
CS Lee<geekooL[at]gmail.com>
http://geek00l.blogspot.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20071022/576ae9c8/attachment.html>
More information about the argus
mailing list