Argus-info Digest, Vol 47, Issue 13
CS Lee
geek00l at gmail.com
Sat Jul 18 21:22:30 EDT 2009
hi nick,
I try to verify the prolem, you are right that racluster doesn't seem to
aggregate the trans properly, but it seems to be happen since
argus-clients-3.0.2.beta.6, lets check this out -
Beta 5 ra output
argusC-3.0.2b5/bin/ra -nr ~/Downloads/telnet-raw.arg3 -s trans pkts
1 29
1 36
1 26
1 43
1 53
1 36
1 11
1 8
1 16
1 14
Beta 6 ra output
argusC-3.0.2b6/bin/ra -nr ~/Downloads/telnet-raw.arg3 -s trans pkts
1 29
1 36
1 26
1 43
1 53
1 36
1 11
1 8
1 16
1 14
Beta 5 racluster output
argusC-3.0.2b5/bin/racluster -nr ~/Downloads/telnet-raw.arg3 -s trans pkts
10 272
Beta 6 racluster output
argusC-3.0.2b6/bin/racluster -nr ~/Downloads/telnet-raw.arg3 -s trans pkts
28 272
And I have tested on beta 9 and it gives exactly same result as beta 6, so
hopefully this give enough info to carter to fix the problem. Other argus
client tools (such as rahisto in your case) may inherit the similar problem.
Thanks!
On Sun, Jul 19, 2009 at 1:28 AM, CS Lee <geek00l at gmail.com> wrote:
> hi nick,
>
> Possible to share the dump file?
>
> Thanks!
>
>
> On Sun, Jul 19, 2009 at 12:00 AM, <argus-info-request at lists.andrew.cmu.edu
> > wrote:
>
>> Send Argus-info mailing list submissions to
>> argus-info at lists.andrew.cmu.edu
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>> https://lists.andrew.cmu.edu/mailman/listinfo/argus-info
>> or, via email, send a message with subject or body 'help' to
>> argus-info-request at lists.andrew.cmu.edu
>>
>> You can reach the person managing the list at
>> argus-info-owner at lists.andrew.cmu.edu
>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of Argus-info digest..."
>>
>>
>> Today's Topics:
>>
>> 1. Trans field and rahisto (Nick Diel)
>>
>>
>> ----------------------------------------------------------------------
>>
>> Message: 1
>> Date: Fri, 17 Jul 2009 12:13:36 -0600
>> From: Nick Diel <nick at engineerity.com>
>> Subject: [ARGUS] Trans field and rahisto
>> To: Argus <argus-info at lists.andrew.cmu.edu>
>> Message-ID:
>> <3d641c150907171113p4295f18dje884a5c302b8323d at mail.gmail.com>
>> Content-Type: text/plain; charset="iso-8859-1"
>>
>> HI,
>>
>> I have a couple of questions and issues with the trans field.
>>
>> First exactly when does Argus set the trans count to 1? I noticed some
>> simple 1 packet volleys have a trans count of 0, while other 1 packet
>> volleys have a trans count of 1. Of course all the other flows have a
>> trans
>> count of 1, just curious what differentiates the single packet flows.
>>
>> Second, it seems racluster isn't adding up the trans field correctly, here
>> is an example
>>
>> ra -r file.argus -s saddr trans
>> 27.8.77.166 1
>> 27.8.77.166 1
>> 18.9.27.219 1
>> 18.9.27.219 1
>> 18.86.96.147 1
>> 18.86.96.147 1
>> 19.32.203.136 1
>> 19.32.203.136 1
>>
>> racluster -r file.argus -m saddr -s saddr trans
>> 19.32.203.136 4
>> 18.86.96.147 3
>> 18.9.27.219 4
>> 27.8.77.166 3
>>
>> Also I have been feeding this same data to rahisto and have been seeing
>> some
>> very strange data.
>>
>> If I feed the non racluster file (from above) into rahisto I get:
>>
>> rahisto -H trans 5:1 -r file.argus
>> N = 9 mean = 1.000000 stddev = 0.000000 max = 1 min = 1
>> median = 1 95% = 1
>> Class Interval Freq Rel.Freq Cum.Freq
>> 1 0.000000e+00-1.000000e+00 0 0.0000% 0.0000%
>> 2 1.000000e+00-2.000000e+00 20 222.2222% 222.2222%
>> 3 2.000000e+00-3.000000e+00 0 0.0000% 222.2222%
>> 4 3.000000e+00-4.000000e+00 0 0.0000% 222.2222%
>> 5 4.000000e+00-5.000000e+00 0 0.0000% 222.2222%
>>
>> N is off by 1, should be 8. Rel. Freq should be 8 not 20, and of course
>> the
>> percentages are off.
>>
>> Next I fed the cluster data into rahisto
>>
>> racluster -r file.argus -m saddr -w - | rahisto -r - -H trans 5:1
>> N = 8 mean = 3.807943 stddev = 4.015635 max = 12 min = 0
>> median = 3.500000 95% = 4
>> mode = 3
>> Class Interval Freq Rel.Freq Cum.Freq
>> 1 0.000000e+00-1.000000e+00 0 0.0000% 0.0000%
>> 2 1.000000e+00-2.000000e+00 0 0.0000% 0.0000%
>> 3 2.000000e+00-3.000000e+00 0 0.0000% 0.0000%
>> 4 3.000000e+00-4.000000e+00 5 62.5000% 62.5000%
>> 5 4.000000e+00-5.000000e+00 -1798865444 31201273600.0000%
>> 31201273600.0000%
>>
>> N should be 4, mean should 3.5, max should be 4, rel. freq should be 4 not
>> 5, and of course the percentages are off here too.
>>
>>
>> Nick
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL:
>> https://lists.andrew.cmu.edu/mailman/private/argus-info/attachments/20090717/e0fd633d/attachment-0001.html
>>
>> ------------------------------
>>
>> _______________________________________________
>> Argus-info mailing list
>> Argus-info at lists.andrew.cmu.edu
>> https://lists.andrew.cmu.edu/mailman/listinfo/argus-info
>>
>>
>> End of Argus-info Digest, Vol 47, Issue 13
>> ******************************************
>>
>
>
>
> --
> Best Regards,
>
> CS Lee<geek00L[at]gmail.com>
>
> http://geek00l.blogspot.com
> http://defcraft.net
>
--
Best Regards,
CS Lee<geek00L[at]gmail.com>
http://geek00l.blogspot.com
http://defcraft.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090719/24754ee9/attachment.html>
More information about the argus
mailing list