Possible to filter on src vid != dst vid?

Terry Burton tez at terryburton.co.uk
Tue Aug 5 06:35:24 EDT 2008 

Hi

I am beginning to use Argus to investigate inter-subnet traffic flows
on our network (roughly speaking one /16 divided into ~150 /24s), most
recently with regard to analysing packet loss with variants of the
following command:

ratop -m matrix/24 proto -S localhost:562 -S localhost:563 -s+svid
-s+dvid -s+loss -s+ploss - \
tcp and src net 123.123.0.0/16 and dst net 123.123.0.0/16

Output as follows:

ratop -S 127.0.0.1:562 127.0.0.1:563 -m matrix proto - remote 'src net
123.123.0.0/16 and dst net 123.123.0.0/16 ...
Rank       StartTime    Flgs  Proto            SrcAddr  Sport   Dir
        DstAddr  Dport  TotPkts   TotBytes State   sVid   dVid
Loss    pLoss
   1 15:52:12.250749  M *       tcp       123.123.94.0 *         ->
  123.123.121.0 *         21156    4115792   CON    120      5
10510 33.19017
   2 15:52:10.668253  M *       tcp        123.123.8.0 *         ->
   123.123.42.0 *          7446    2260934   CON     40      5
3213 30.14354
   3 15:52:12.250749  M *       tcp       123.123.94.0 *         ->
  123.123.121.0 *          6191    1217900   CON    120      5
3079 33.21467
   4 15:52:10.981508  M *       tcp       123.123.36.0 *         ->
  123.123.133.0 *          5871    2937490   CON      5     36
1835 23.81261
   5 15:52:10.652194  M *       tcp       123.123.95.0 *         ->
  123.123.216.0 *          2602    1947372   CON    216     90
955 26.84846
   6 15:52:14.407818  M *       tcp       123.123.42.0 *         ->
  123.123.108.0 *          3434     570022   FIN    108     30
1600 31.78387
   7 15:52:10.279885  M *       tcp      123.123.107.0 *         ->
  123.123.108.0 *          1999    1175320   CON    108    108
657 24.73644
   8 15:52:12.575023  M *       tcp       123.123.37.0 *        <?>
   123.123.38.0 *          1780     188408   CON     36     36
769 30.16869
   9 15:52:12.720005  * *       tcp      123.123.120.0 *         ->
  123.123.120.0 *          1592     952308   FIN    120    120
550 25.67693
  10 15:52:13.406317  M *       tcp       123.123.95.0 *         ->
  123.123.133.0 *          1195    1106198   RST      5     90
407 25.40574

I note that the loss statistics are unrealistically high at 20-35%
packet loss per flow (with no drops reported by the kernel) but I have
not yet had the opportunity to investigate what it is exactly that
Argus is measuring so I am not too alarmed by this. I'm happy to
investigate this myself, however from a quick search of the mailing
list I was unable to find a description of the Argus strategy for
packet loss measurement and think that a precise description might be
of value on the NSM wiki.

However my real question is this: Is there some way of asserting a
filter along the lines of "src vid != dst vid" so that I see only
inter-VLAN flows as I'm not interested in seeing the inter-subnet
traffic on "shared networks"?


Many thanks,

Tez

More information about the argus mailing list