Argus-info Digest, Vol 47, Issue 13

CS Lee geek00l at gmail.com
Sat Jul 18 13:28:52 EDT 2009 

hi nick,

Possible to share the dump file?

Thanks!

On Sun, Jul 19, 2009 at 12:00 AM,
<argus-info-request at lists.andrew.cmu.edu>wrote:

> Send Argus-info mailing list submissions to
>        argus-info at lists.andrew.cmu.edu
>
> To subscribe or unsubscribe via the World Wide Web, visit
>        https://lists.andrew.cmu.edu/mailman/listinfo/argus-info
> or, via email, send a message with subject or body 'help' to
>        argus-info-request at lists.andrew.cmu.edu
>
> You can reach the person managing the list at
>        argus-info-owner at lists.andrew.cmu.edu
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Argus-info digest..."
>
>
> Today's Topics:
>
>   1.  Trans field and rahisto (Nick Diel)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 17 Jul 2009 12:13:36 -0600
> From: Nick Diel <nick at engineerity.com>
> Subject: [ARGUS] Trans field and rahisto
> To: Argus <argus-info at lists.andrew.cmu.edu>
> Message-ID:
>        <3d641c150907171113p4295f18dje884a5c302b8323d at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> HI,
>
> I have a couple of questions and issues with the trans field.
>
> First exactly when does Argus set the trans count to 1?  I noticed some
> simple 1 packet volleys have a trans count of 0, while other 1 packet
> volleys have a trans count of 1.  Of course all the other flows have a
> trans
> count of 1, just curious what differentiates the single packet flows.
>
> Second, it seems racluster isn't adding up the trans field correctly, here
> is an example
>
> ra -r file.argus -s saddr trans
>      27.8.77.166      1
>      27.8.77.166      1
>      18.9.27.219      1
>      18.9.27.219      1
>     18.86.96.147      1
>     18.86.96.147      1
>    19.32.203.136      1
>    19.32.203.136      1
>
> racluster -r file.argus -m saddr -s saddr trans
>    19.32.203.136      4
>     18.86.96.147      3
>      18.9.27.219      4
>      27.8.77.166      3
>
> Also I have been feeding this same data to rahisto and have been seeing
> some
> very strange data.
>
> If I feed the non racluster file (from above) into rahisto I get:
>
> rahisto -H trans 5:1 -r file.argus
> N = 9       mean = 1.000000  stddev = 0.000000  max = 1  min = 1
>           median =        1     95% = 1
>  Class           Interval                Freq    Rel.Freq     Cum.Freq
>     1   0.000000e+00-1.000000e+00          0     0.0000%      0.0000%
>     2   1.000000e+00-2.000000e+00         20   222.2222%    222.2222%
>     3   2.000000e+00-3.000000e+00          0     0.0000%    222.2222%
>     4   3.000000e+00-4.000000e+00          0     0.0000%    222.2222%
>     5   4.000000e+00-5.000000e+00          0     0.0000%    222.2222%
>
> N is off by 1, should be 8.  Rel. Freq should be 8 not 20, and of course
> the
> percentages are off.
>
> Next I fed the cluster data into rahisto
>
> racluster -r file.argus -m saddr -w - | rahisto -r - -H trans 5:1
>  N = 8       mean = 3.807943  stddev = 4.015635  max = 12  min = 0
>           median = 3.500000     95% = 4
>             mode =        3
>  Class           Interval                Freq    Rel.Freq     Cum.Freq
>     1   0.000000e+00-1.000000e+00          0     0.0000%      0.0000%
>     2   1.000000e+00-2.000000e+00          0     0.0000%      0.0000%
>     3   2.000000e+00-3.000000e+00          0     0.0000%      0.0000%
>     4   3.000000e+00-4.000000e+00          5    62.5000%     62.5000%
>     5   4.000000e+00-5.000000e+00 -1798865444   31201273600.0000%
> 31201273600.0000%
>
> N should be 4, mean should 3.5, max should be 4, rel. freq should be 4 not
> 5, and of course the percentages are off here too.
>
>
> Nick
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> https://lists.andrew.cmu.edu/mailman/private/argus-info/attachments/20090717/e0fd633d/attachment-0001.html
>
> ------------------------------
>
> _______________________________________________
> Argus-info mailing list
> Argus-info at lists.andrew.cmu.edu
> https://lists.andrew.cmu.edu/mailman/listinfo/argus-info
>
>
> End of Argus-info Digest, Vol 47, Issue 13
> ******************************************
>



-- 
Best Regards,

CS Lee<geek00L[at]gmail.com>

http://geek00l.blogspot.com
http://defcraft.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090719/ab1e4f47/attachment.html>

More information about the argus mailing list