Racluster discarding packet loss data

Carter Bullard carter at qosient.com
Mon Dec 14 10:11:45 EST 2009


Hey Bart,
Looks like we've got a bug and I don't have a fix yet, but I do have a
potential work around for you.

If you run racluster() using default parameters before running  
racluster()
with the flow key modificatons, you'll get loss back (at least for  
this file).

    racluster -w -  -r argus.log* | racluster -s +loss -m proto saddr

There are 3 types of TCP DSR's, and it maybe that the bug is in dealing
with the loss stats when merging with a TCP matching flow that uses
a different TCP DSR (that doesn't have loss stats).

Try this work around, and I'll look for a fix later today,

Carter

On Dec 13, 2009, at 8:04 AM, Bart Roos wrote:

> Hello everyone,
>
> I am trying to collect packet loss data for a particular host in a LAN
> segment using the following racluster command:
>
> $ racluster -r argus.log -m saddr -s loss - tcp and src host  
> 10.10.0.12
>         0
>
> The racluster output does not report any packet loss, but counting the
> packet loss from individual argus records does show some loss:
>
> $ ra -r argus.log -s loss - tcp and src host 10.10.0.12 | \
>  awk '{c+=$1;} END {print c;}'
> 217
>
> Why is racluster discarding the packet loss data? Is this a bug, or  
> am I
> doing something wrong? I'm running the 3.0.2 server and clients.
>
> Thanks,
> Bart
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20091214/e87b575b/attachment.bin>


More information about the argus mailing list