Trans field and rahisto

Nick Diel nick at engineerity.com
Fri Jul 17 14:13:36 EDT 2009 

HI,

I have a couple of questions and issues with the trans field.

First exactly when does Argus set the trans count to 1?  I noticed some
simple 1 packet volleys have a trans count of 0, while other 1 packet
volleys have a trans count of 1.  Of course all the other flows have a trans
count of 1, just curious what differentiates the single packet flows.

Second, it seems racluster isn't adding up the trans field correctly, here
is an example

ra -r file.argus -s saddr trans
      27.8.77.166      1
      27.8.77.166      1
      18.9.27.219      1
      18.9.27.219      1
     18.86.96.147      1
     18.86.96.147      1
    19.32.203.136      1
    19.32.203.136      1

racluster -r file.argus -m saddr -s saddr trans
    19.32.203.136      4
     18.86.96.147      3
      18.9.27.219      4
      27.8.77.166      3

Also I have been feeding this same data to rahisto and have been seeing some
very strange data.

If I feed the non racluster file (from above) into rahisto I get:

rahisto -H trans 5:1 -r file.argus
N = 9       mean = 1.000000  stddev = 0.000000  max = 1  min = 1
           median =        1     95% = 1
 Class           Interval                Freq    Rel.Freq     Cum.Freq
     1   0.000000e+00-1.000000e+00          0     0.0000%      0.0000%
     2   1.000000e+00-2.000000e+00         20   222.2222%    222.2222%
     3   2.000000e+00-3.000000e+00          0     0.0000%    222.2222%
     4   3.000000e+00-4.000000e+00          0     0.0000%    222.2222%
     5   4.000000e+00-5.000000e+00          0     0.0000%    222.2222%

N is off by 1, should be 8.  Rel. Freq should be 8 not 20, and of course the
percentages are off.

Next I fed the cluster data into rahisto

racluster -r file.argus -m saddr -w - | rahisto -r - -H trans 5:1
 N = 8       mean = 3.807943  stddev = 4.015635  max = 12  min = 0
           median = 3.500000     95% = 4
             mode =        3
 Class           Interval                Freq    Rel.Freq     Cum.Freq
     1   0.000000e+00-1.000000e+00          0     0.0000%      0.0000%
     2   1.000000e+00-2.000000e+00          0     0.0000%      0.0000%
     3   2.000000e+00-3.000000e+00          0     0.0000%      0.0000%
     4   3.000000e+00-4.000000e+00          5    62.5000%     62.5000%
     5   4.000000e+00-5.000000e+00 -1798865444   31201273600.0000%
31201273600.0000%

N should be 4, mean should 3.5, max should be 4, rel. freq should be 4 not
5, and of course the percentages are off here too.


Nick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090717/e0fd633d/attachment.html>

More information about the argus mailing list