Trans field and rahisto

Carter Bullard carter at qosient.com
Sat Jul 18 12:22:35 EDT 2009 

Looks like a big bad bug.
I'll look at it this weekend.
Carter

On Jul 17, 2009, at 2:13 PM, Nick Diel wrote:

> HI,
>
> I have a couple of questions and issues with the trans field.
>
> First exactly when does Argus set the trans count to 1?  I noticed  
> some simple 1 packet volleys have a trans count of 0, while other 1  
> packet volleys have a trans count of 1.  Of course all the other  
> flows have a trans count of 1, just curious what differentiates the  
> single packet flows.
>
> Second, it seems racluster isn't adding up the trans field  
> correctly, here is an example
>
> ra -r file.argus -s saddr trans
>       27.8.77.166      1
>       27.8.77.166      1
>       18.9.27.219      1
>       18.9.27.219      1
>      18.86.96.147      1
>      18.86.96.147      1
>     19.32.203.136      1
>     19.32.203.136      1
>
> racluster -r file.argus -m saddr -s saddr trans
>     19.32.203.136      4
>      18.86.96.147      3
>       18.9.27.219      4
>       27.8.77.166      3
>
> Also I have been feeding this same data to rahisto and have been  
> seeing some very strange data.
>
> If I feed the non racluster file (from above) into rahisto I get:
>
> rahisto -H trans 5:1 -r file.argus
> N = 9       mean = 1.000000  stddev = 0.000000  max = 1  min = 1
>            median =        1     95% = 1
>  Class           Interval                Freq    Rel.Freq     Cum.Freq
>      1   0.000000e+00-1.000000e+00          0     0.0000%      0.0000%
>      2   1.000000e+00-2.000000e+00         20   222.2222%    222.2222%
>      3   2.000000e+00-3.000000e+00          0     0.0000%    222.2222%
>      4   3.000000e+00-4.000000e+00          0     0.0000%    222.2222%
>      5   4.000000e+00-5.000000e+00          0     0.0000%    222.2222%
>
> N is off by 1, should be 8.  Rel. Freq should be 8 not 20, and of  
> course the percentages are off.
>
> Next I fed the cluster data into rahisto
>
> racluster -r file.argus -m saddr -w - | rahisto -r - -H trans 5:1
>  N = 8       mean = 3.807943  stddev = 4.015635  max = 12  min = 0
>            median = 3.500000     95% = 4
>              mode =        3
>  Class           Interval                Freq    Rel.Freq     Cum.Freq
>      1   0.000000e+00-1.000000e+00          0     0.0000%      0.0000%
>      2   1.000000e+00-2.000000e+00          0     0.0000%      0.0000%
>      3   2.000000e+00-3.000000e+00          0     0.0000%      0.0000%
>      4   3.000000e+00-4.000000e+00          5    62.5000%     62.5000%
>      5   4.000000e+00-5.000000e+00 -1798865444    
> 31201273600.0000%    31201273600.0000%
>
> N should be 4, mean should 3.5, max should be 4, rel. freq should be  
> 4 not 5, and of course the percentages are off here too.
>
>
> Nick

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090718/b82eb448/attachment.bin>

More information about the argus mailing list