Possible to filter on src vid != dst vid?
Carter Bullard
carter at qosient.com
Tue Aug 5 07:51:21 EDT 2008
Hey Terry,
The numbers don't look quite right, but you never know with loss.
The pLoss is calculated as:
pLoss = ( loss * 100.0 )/ Pkts
Its really straight forward to see if the reported value is close at all. If not send some records and I'll check it out.
Loss, for TCP, is determined by either missing sequence numbers, retransmitted pkts, or breaks in the selective ack sequences. To look at the code its not at all clear, but we want to do this fast so its pretty ugly code.
Of course, the accuracy of the report is dependent on where along the path you are. One probe may seen retransmissons, but a downstream probe may not, so we're trying to correlate the full duplex set of packets to see if we can 'discover' loss. As a result, you can get negative loss reported, in a flow status record, due to an over report in a previous record.
If you want more detail, just ask questions on the list. If I can't answer, somebody else may chime in :o)
Carter
Carter Bullard
QoSient LLC
150 E. 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax
-----Original Message-----
From: "Terry Burton" <tez at terryburton.co.uk>
Date: Tue, 5 Aug 2008 11:35:24
To: Argus<argus-info at lists.andrew.cmu.edu>
Subject: [ARGUS] Possible to filter on src vid != dst vid?
Hi
I am beginning to use Argus to investigate inter-subnet traffic flows
on our network (roughly speaking one /16 divided into ~150 /24s), most
recently with regard to analysing packet loss with variants of the
following command:
ratop -m matrix/24 proto -S localhost:562 -S localhost:563 -s+svid
-s+dvid -s+loss -s+ploss - \
tcp and src net 123.123.0.0/16 and dst net 123.123.0.0/16
Output as follows:
ratop -S 127.0.0.1:562 127.0.0.1:563 -m matrix proto - remote 'src net
123.123.0.0/16 and dst net 123.123.0.0/16 ...
Rank StartTime Flgs Proto SrcAddr Sport Dir
DstAddr Dport TotPkts TotBytes State sVid dVid
Loss pLoss
1 15:52:12.250749 M * tcp 123.123.94.0 * ->
123.123.121.0 * 21156 4115792 CON 120 5
10510 33.19017
2 15:52:10.668253 M * tcp 123.123.8.0 * ->
123.123.42.0 * 7446 2260934 CON 40 5
3213 30.14354
3 15:52:12.250749 M * tcp 123.123.94.0 * ->
123.123.121.0 * 6191 1217900 CON 120 5
3079 33.21467
4 15:52:10.981508 M * tcp 123.123.36.0 * ->
123.123.133.0 * 5871 2937490 CON 5 36
1835 23.81261
5 15:52:10.652194 M * tcp 123.123.95.0 * ->
123.123.216.0 * 2602 1947372 CON 216 90
955 26.84846
6 15:52:14.407818 M * tcp 123.123.42.0 * ->
123.123.108.0 * 3434 570022 FIN 108 30
1600 31.78387
7 15:52:10.279885 M * tcp 123.123.107.0 * ->
123.123.108.0 * 1999 1175320 CON 108 108
657 24.73644
8 15:52:12.575023 M * tcp 123.123.37.0 * <?>
123.123.38.0 * 1780 188408 CON 36 36
769 30.16869
9 15:52:12.720005 * * tcp 123.123.120.0 * ->
123.123.120.0 * 1592 952308 FIN 120 120
550 25.67693
10 15:52:13.406317 M * tcp 123.123.95.0 * ->
123.123.133.0 * 1195 1106198 RST 5 90
407 25.40574
I note that the loss statistics are unrealistically high at 20-35%
packet loss per flow (with no drops reported by the kernel) but I have
not yet had the opportunity to investigate what it is exactly that
Argus is measuring so I am not too alarmed by this. I'm happy to
investigate this myself, however from a quick search of the mailing
list I was unable to find a description of the Argus strategy for
packet loss measurement and think that a precise description might be
of value on the NSM wiki.
However my real question is this: Is there some way of asserting a
filter along the lines of "src vid != dst vid" so that I see only
inter-VLAN flows as I'm not interested in seeing the inter-subnet
traffic on "shared networks"?
Many thanks,
Tez
More information about the argus
mailing list