Trans field and rahisto

Nick Diel nick at engineerity.com
Fri Aug 7 13:34:25 EDT 2009 

Carter,

The fix appears to be working for the rahisto bins, but still seeing a
couple of small problems (nothing major)

   - Some of the other statistics (mean, max, stddev, median) don't seem to
   be calculating correctly.
   - Outlayer bin doesn't show the correct bin size (just shows what the
   next bin would be)
   - rahisto seg faults when missing command line arguments (for example:
   rahisto -r file.argus)

rahisto -r file.argus -H trans 10:10 -M outlayer
 N = 483     mean = 1.000000  stddev = 0.150912  max = 1  min = 1
           median =        4     95% = 66
             mode =        1
 Class           Interval                Freq    Rel.Freq     Cum.Freq
     1   0.000000e+00-1.000000e+01        210    43.4783%     43.4783%
     2   1.000000e+01-2.000000e+01         39     8.0745%     51.5528%
     3   2.000000e+01-3.000000e+01         23     4.7619%     56.3147%
     4   3.000000e+01-4.000000e+01          6     1.2422%     57.5569%
     5   4.000000e+01-5.000000e+01         11     2.2774%     59.8344%
     6   5.000000e+01-6.000000e+01         10     2.0704%     61.9048%
     7   6.000000e+01-7.000000e+01          4     0.8282%     62.7329%
     8   7.000000e+01-8.000000e+01          3     0.6211%     63.3540%
     9   8.000000e+01-9.000000e+01          3     0.6211%     63.9752%
    10   9.000000e+01-1.000000e+02          8     1.6563%     65.6315%
    11*  1.000000e+02-1.100000e+02        166    34.3685%    100.0000%

Nick

On Tue, Jul 21, 2009 at 9:19 PM, Carter Bullard <carter at qosient.com> wrote:

> Hey Nick,
> I just uploaded argus-clients-3.0.2.beta.10.tar.gz with a fix for the
> 'trans'
> bug.  Several things wrong, as the AGR DSR, which is where we store
> the trans statistics, was used by rahisto() to hold its stats, so the fix
> was
> slightly obsure, but it should be working now.  Please give it a try.
>
> ftp://qosient.com/dev/argus-3.0/argus-clients-3.0.2.beta.10.tar.gz
>
> Thanks!!!
>
> Carter
>
> On Jul 17, 2009, at 2:13 PM, Nick Diel wrote:
>
>  HI,
>>
>> I have a couple of questions and issues with the trans field.
>>
>> First exactly when does Argus set the trans count to 1?  I noticed some
>> simple 1 packet volleys have a trans count of 0, while other 1 packet
>> volleys have a trans count of 1.  Of course all the other flows have a trans
>> count of 1, just curious what differentiates the single packet flows.
>>
>> Second, it seems racluster isn't adding up the trans field correctly, here
>> is an example
>>
>> ra -r file.argus -s saddr trans
>>      27.8.77.166      1
>>      27.8.77.166      1
>>      18.9.27.219      1
>>      18.9.27.219      1
>>     18.86.96.147      1
>>     18.86.96.147      1
>>    19.32.203.136      1
>>    19.32.203.136      1
>>
>> racluster -r file.argus -m saddr -s saddr trans
>>    19.32.203.136      4
>>     18.86.96.147      3
>>      18.9.27.219      4
>>      27.8.77.166      3
>>
>> Also I have been feeding this same data to rahisto and have been seeing
>> some very strange data.
>>
>> If I feed the non racluster file (from above) into rahisto I get:
>>
>> rahisto -H trans 5:1 -r file.argus
>> N = 9       mean = 1.000000  stddev = 0.000000  max = 1  min = 1
>>           median =        1     95% = 1
>>  Class           Interval                Freq    Rel.Freq     Cum.Freq
>>     1   0.000000e+00-1.000000e+00          0     0.0000%      0.0000%
>>     2   1.000000e+00-2.000000e+00         20   222.2222%    222.2222%
>>     3   2.000000e+00-3.000000e+00          0     0.0000%    222.2222%
>>     4   3.000000e+00-4.000000e+00          0     0.0000%    222.2222%
>>     5   4.000000e+00-5.000000e+00          0     0.0000%    222.2222%
>>
>> N is off by 1, should be 8.  Rel. Freq should be 8 not 20, and of course
>> the percentages are off.
>>
>> Next I fed the cluster data into rahisto
>>
>> racluster -r file.argus -m saddr -w - | rahisto -r - -H trans 5:1
>>  N = 8       mean = 3.807943  stddev = 4.015635  max = 12  min = 0
>>           median = 3.500000     95% = 4
>>             mode =        3
>>  Class           Interval                Freq    Rel.Freq     Cum.Freq
>>     1   0.000000e+00-1.000000e+00          0     0.0000%      0.0000%
>>     2   1.000000e+00-2.000000e+00          0     0.0000%      0.0000%
>>     3   2.000000e+00-3.000000e+00          0     0.0000%      0.0000%
>>     4   3.000000e+00-4.000000e+00          5    62.5000%     62.5000%
>>     5   4.000000e+00-5.000000e+00 -1798865444   31201273600.0000%
>>  31201273600.0000%
>>
>> N should be 4, mean should 3.5, max should be 4, rel. freq should be 4 not
>> 5, and of course the percentages are off here too.
>>
>>
>> Nick
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090807/67e6be91/attachment.html>

More information about the argus mailing list