Racluster packet/byte counts off
Nick Diel
ndiel at engr.colostate.edu
Wed Mar 26 17:59:58 EDT 2008
I have been merging records on mac address pairs and notice at some
large packet count the merged records counts are off.
Here is an example of the problem:
[diel at lander-nic ~]$ racount -r /capture/dump-110707/pcap/*.argus.out -
ether src X:X:X:X:X:52 or ether dst
X:X:X:X:X:52
racount records total_pkts src_pkts dst_pkts
total_bytes src_bytes dst_bytes
sum 411,639,887 *4,167,751,642* 3241106807
926644835 2,631,640,888,213 1886412015303 745228872910
[diel at lander-nic ~]$ racluster -r /capture/dump-110707/pcap/*.argus.out
-m smac dmac -L0 -s smac dir dmac bytes pkts - ether src X:X:X:X:X:52 or
ether dst X:X:X:X:X:52
SrcMac Dir DstMac TotBytes TotPkts
X:X:X:X:X:52 -> X:X:X:X:X:d 779300
*14,401*
X:X:X:X:X:52 -> X:X:X:X:X:a 500060
*4,546*
X:X:X:X:X:3c <-> X:X:X:X:X:52 2631632608 *41,677,326
*The packet count from racluster is basically 1% of what racount is.
Here it works on a smaller scale:
[diel at lander-nic ~]$ racount -r
/capture/dump-110707/pcap/anondump.0001.pcap.argus.out - ether src
X:X:X:X:X:52 or ether dst X:X:X:X:X:52
racount records total_pkts src_pkts dst_pkts
total_bytes src_bytes dst_bytes
sum 573210 5396094 4200746 1195348
3458510664 2561659100 896851564
[diel at lander-nic ~]$ racluster -r
/capture/dump-110707/pcap/anondump.0001.pcap.argus.out -m smac dmac -L0
-s smac dir dmac bytes pkts - ether src 7X:X:X:X:X:52 or ether dst
X:X:X:X:X:52
SrcMac Dir DstMac TotBytes TotPkts
X:X:X:X:X:52 -> X:X:X:X:X:d 10700 22
X:X:X:X:X:52 -> X:X:X:X:X:a 770 7
X:X:X:X:X:3c <-> X:X:X:X:X:52 3458499194 5396065
Nick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20080326/5f4b12e9/attachment.html>
More information about the argus
mailing list