Racluster packet/byte counts off

Nick Diel ndiel at engr.colostate.edu
Wed Mar 26 18:23:11 EDT 2008 

Yes I forgot about the field lengths.  Makes perfect sense for the 
numbers I have.  You already showed me once with the tcp flags (-Z b), 
so I should have remembered.  I will run it again, but I suspect you are 
right.  A star through would be quite helpful for my forgetful mind.

Nick


Carter Bullard wrote:
> Hey Nick,
> You may be truncating your pkts count because of a small field width.
> Try "pkts:12" to see if your digits comes back.
> The tools are suppose to put a '*' at the end of fields that have been 
> truncated
> due to the width field being too small.  I may need to fix that if 
> this is all there
> is.
>
> Carter
>
> Nick Diel wrote:
>> I have been merging records on mac address pairs and notice at some 
>> large packet count the merged records counts are off.
>>
>> Here is an example of the problem:
>>
>> [diel at lander-nic ~]$ racount -r /capture/dump-110707/pcap/*.argus.out 
>> - ether src X:X:X:X:X:52 or ether dst 
>> X:X:X:X:X:52                                                                                                                                                                    
>> ;                       racount   records     total_pkts     
>> src_pkts       dst_pkts       total_bytes        src_bytes          
>> dst_bytes
>>     sum   411,639,887   *4,167,751,642*     3241106807     
>> 926644835      2,631,640,888,213      1886412015303      745228872910
>>
>>
>> [diel at lander-nic ~]$ racluster -r 
>> /capture/dump-110707/pcap/*.argus.out -m smac dmac -L0 -s smac dir 
>> dmac bytes pkts - ether src X:X:X:X:X:52 or ether dst X:X:X:X:X:52
>>             SrcMac   Dir             DstMac   TotBytes  TotPkts
>>   X:X:X:X:X:52    ->       X:X:X:X:X:d         779300                 
>> *14,401*
>>   X:X:X:X:X:52    ->       X:X:X:X:X:a         
>> 500060                   *4,546*
>>    X:X:X:X:X:3c   <->     X:X:X:X:X:52       2631632608  *41,677,326
>>
>> *The packet count from racluster is basically 1% of what racount is.
>>
>>
>> Here it works on a smaller scale:
>>
>> [diel at lander-nic ~]$ racount -r 
>> /capture/dump-110707/pcap/anondump.0001.pcap.argus.out - ether src 
>> X:X:X:X:X:52 or ether dst X:X:X:X:X:52
>> racount   records     total_pkts     src_pkts       dst_pkts       
>> total_bytes        src_bytes          dst_bytes
>> sum   573210      5396094        4200746        1195348        
>> 3458510664         2561659100         896851564
>>
>>
>> [diel at lander-nic ~]$ racluster -r 
>> /capture/dump-110707/pcap/anondump.0001.pcap.argus.out -m smac dmac 
>> -L0 -s smac dir dmac bytes pkts - ether src 7X:X:X:X:X:52 or ether 
>> dst X:X:X:X:X:52
>>             SrcMac   Dir             DstMac   TotBytes  TotPkts
>> X:X:X:X:X:52    ->       X:X:X:X:X:d                  
>> 10700            22
>>    X:X:X:X:X:52    ->       X:X:X:X:X:a                   
>> 770              7
>>    X:X:X:X:X:3c   <->     X:X:X:X:X:52    3458499194  5396065
>>
>>
>> Nick
>

More information about the argus mailing list