Racluster packet/byte counts off

Carter Bullard carter at qosient.com
Wed Mar 26 18:16:12 EDT 2008 

Hey Nick,
You may be truncating your pkts count because of a small field width.
Try "pkts:12" to see if your digits comes back.
The tools are suppose to put a '*' at the end of fields that have been 
truncated
due to the width field being too small.  I may need to fix that if this 
is all there
is.

Carter

Nick Diel wrote:
> I have been merging records on mac address pairs and notice at some 
> large packet count the merged records counts are off.
>
> Here is an example of the problem:
>
> [diel at lander-nic ~]$ racount -r /capture/dump-110707/pcap/*.argus.out 
> - ether src X:X:X:X:X:52 or ether dst 
> X:X:X:X:X:52                                                                                                                                                                    
> ;                       
> racount   records     total_pkts     src_pkts       dst_pkts       
> total_bytes        src_bytes          dst_bytes
>     sum   411,639,887   *4,167,751,642*     3241106807     
> 926644835      2,631,640,888,213      1886412015303      745228872910
>
>
> [diel at lander-nic ~]$ racluster -r 
> /capture/dump-110707/pcap/*.argus.out -m smac dmac -L0 -s smac dir 
> dmac bytes pkts - ether src X:X:X:X:X:52 or ether dst X:X:X:X:X:52
>             SrcMac   Dir             DstMac   TotBytes  TotPkts
>   X:X:X:X:X:52    ->       X:X:X:X:X:d         779300                 
> *14,401*
>   X:X:X:X:X:52    ->       X:X:X:X:X:a         
> 500060                   *4,546*
>    X:X:X:X:X:3c   <->     X:X:X:X:X:52       2631632608  *41,677,326
>
> *The packet count from racluster is basically 1% of what racount is.
>
>
> Here it works on a smaller scale:
>
> [diel at lander-nic ~]$ racount -r 
> /capture/dump-110707/pcap/anondump.0001.pcap.argus.out - ether src 
> X:X:X:X:X:52 or ether dst X:X:X:X:X:52
> racount   records     total_pkts     src_pkts       dst_pkts       
> total_bytes        src_bytes          dst_bytes
> sum   573210      5396094        4200746        1195348        
> 3458510664         2561659100         896851564
>
>
> [diel at lander-nic ~]$ racluster -r 
> /capture/dump-110707/pcap/anondump.0001.pcap.argus.out -m smac dmac 
> -L0 -s smac dir dmac bytes pkts - ether src 7X:X:X:X:X:52 or ether dst 
> X:X:X:X:X:52
>             SrcMac   Dir             DstMac   TotBytes  TotPkts
> X:X:X:X:X:52    ->       X:X:X:X:X:d                  10700            22
>    X:X:X:X:X:52    ->       X:X:X:X:X:a                   
> 770              7
>    X:X:X:X:X:3c   <->     X:X:X:X:X:52    3458499194  5396065
>
>
> Nick

More information about the argus mailing list