argus user data buffer analysis

Carter Bullard carter at qosient.com
Tue Feb 17 10:09:18 EST 2009 

Hey Oguz,
This information will be available in the next release of Argus.
Interpacket arrival times and packet size distribution reporting
is an optional feature of the new argus.jjjjjjjjjh

We report interpacket arrival times and packet sizes in a
log normalized vector.  We didn't want to chew up too much
memory per flow to track these histograms, so we decided to
have a reporting scheme where we would report all the packet sizes
and interpacket arrivals in a 32-bit value for each.  So we have
8 bins of 4 bit values that we report, and the values are normalized
counts for the population.

Relative counts are,

For packet sizes the bins are:
    [< 64, < 128, < 256, < 512, < 1024, < 2048, < 4096, < 8192]

For interpacket arrival times, the bins are currently:
    [< 10 uSec, < 100, < 1 mSec, < 10, < 100, < 1Sec , <10, >10]

Argus tracks each bin as an unsigned byte, so we have a 255
value counter for each of the 8 bins, so as packets come in
we tally values until we would overflow and then as we add
values in we start to normalize all of the bins down.  But,
we don't round a bins value lower than 1, so if there was a
packet in any bin, regardless of how often we normalize,
we'll always know that at least one packet was seen in a
particular bin.

When you aggregate these vectors, we use arrays of doubles, to
recover the values.  Each record has the packet counts, so we
know what scale to use to recover the totals per bin.  We merge
the arrays, and then re-normalize them to generate the output
encodings.

Hope this helps, and of course if you have any opinions, reactions,
etc..., don't hesitate to send email to the list!!!!

Carter

On Feb 15, 2009, at 5:30 AM, Oguz Yarimtepe wrote:

> There is also one thing i want to know about argus. Is there a
> possibility to get some result from flow data like, how many packages
> there are that has a spesified size of payload in the flow or how many
> packets have inter packet delays of the spesified seconds.
>
> Thanx
>>
> -- 
> Oguz Yarimtepe
> http://www.loopbacking.info
>
>

Carter Bullard
CEO/President
QoSient, LLC
150 E 57th Street Suite 12D
New York, New York  10022

+1 212 588-9133 Phone
+1 212 588-9134 Fax

More information about the argus mailing list