Racluster and the trans field

Carter Bullard carter at qosient.com
Sat Aug 29 16:50:10 EDT 2009 

Hey Nick,
I don't think this code is the source of your discrepancy.

This part of the code is creating an AGR if there isn't one in the  
argus record.
When there isn't an AGR, it means that there hasn't been any aggregation
done, so this implies a "primitive" record.  The AGR holds statistics  
for a
specific metric, and by default that metric is the duration of the  
argus record.
You can specify a different metric by defining an ArgusAggregator  
object,
and telling it what metric you want the ArgusMergeRecord routine to  
calculate.

So we are setting the "agr->count = 0" only when we're doing the stats  
on the
duration of the argus record, and the duration is equal to zero.    
This seems
ok to me.  And we need this correction.

Well, anyway, if you have a data file that generates bad counts, send  
it my way
and I'll fix.

Carter

On Aug 29, 2009, at 3:29 PM, Nick Diel wrote:

> This is actually a continuation for a bug we discussed a little bit  
> ago and something CS Lee looked at too.
>
> When you use racluster the trans field did not always add up  
> correctly (it would be smaller than it should be).  Again I dug into  
> the source code and think I found the culprit.  We actually set the  
> trans field to 0 in some cases.  I am not entirely sure why we do  
> this, but it does cause a couple of problems.  Also what confuses  
> this even more is we now always print a trans field of 1 or greater  
> (we actually test the trans field, if 0 or smaller we just print 1).
>
> For the second part of the problem, we do use the value of the trans  
> field internally to test whether or not to some duration calucations  
> and with the current logic we do not compute duration on some flows  
> I think we should.
>
> First here is the code in question (from diff):
> --- origs/argus_client.c        2009-08-29 11:35:55.000000000 -0600
> +++ common/argus_client.c       2009-08-29 11:42:58.000000000 -0600
> @@ -4040,15 +4040,6 @@
>                       agr->act.minval             = 10000000000.0;
>                       agr->idle.minval            = 10000000000.0;
>
> -                     if (parser->ArgusAggregator != NULL) {
> -                        value = parser->ArgusAggregator- 
> >RaMetricFetchAlgorithm(retn);
> -                        if (ArgusFetchDuration == parser- 
> >ArgusAggregator->RaMetricFetchAlgorithm) {
> -                           if (value == 0)
> -                              agr->count = 0;
> -                        }
> -                     } else
> -                        if ((value = ArgusFetchDuration(retn)) == 0)
> -                           agr->count = 0;
>
>                       if (agr->count > 0) {
>                          agr->act.maxval             = value;
>
> I am not entirely sure what we are testing for so the question is do  
> we need this code, if so is it correct, and finally should we move  
> the logic so we are not ever setting the trans field to 0?
>
> Nick

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090829/8cb58ba2/attachment.bin>

More information about the argus mailing list