Trans field and rahisto

Carter Bullard carter at qosient.com
Tue Jul 21 23:19:19 EDT 2009 

Hey Nick,
I just uploaded argus-clients-3.0.2.beta.10.tar.gz with a fix for the  
'trans'
bug.  Several things wrong, as the AGR DSR, which is where we store
the trans statistics, was used by rahisto() to hold its stats, so the  
fix was
slightly obsure, but it should be working now.  Please give it a try.

ftp://qosient.com/dev/argus-3.0/argus-clients-3.0.2.beta.10.tar.gz

Thanks!!!

Carter

On Jul 17, 2009, at 2:13 PM, Nick Diel wrote:

> HI,
>
> I have a couple of questions and issues with the trans field.
>
> First exactly when does Argus set the trans count to 1?  I noticed  
> some simple 1 packet volleys have a trans count of 0, while other 1  
> packet volleys have a trans count of 1.  Of course all the other  
> flows have a trans count of 1, just curious what differentiates the  
> single packet flows.
>
> Second, it seems racluster isn't adding up the trans field  
> correctly, here is an example
>
> ra -r file.argus -s saddr trans
>       27.8.77.166      1
>       27.8.77.166      1
>       18.9.27.219      1
>       18.9.27.219      1
>      18.86.96.147      1
>      18.86.96.147      1
>     19.32.203.136      1
>     19.32.203.136      1
>
> racluster -r file.argus -m saddr -s saddr trans
>     19.32.203.136      4
>      18.86.96.147      3
>       18.9.27.219      4
>       27.8.77.166      3
>
> Also I have been feeding this same data to rahisto and have been  
> seeing some very strange data.
>
> If I feed the non racluster file (from above) into rahisto I get:
>
> rahisto -H trans 5:1 -r file.argus
> N = 9       mean = 1.000000  stddev = 0.000000  max = 1  min = 1
>            median =        1     95% = 1
>  Class           Interval                Freq    Rel.Freq     Cum.Freq
>      1   0.000000e+00-1.000000e+00          0     0.0000%      0.0000%
>      2   1.000000e+00-2.000000e+00         20   222.2222%    222.2222%
>      3   2.000000e+00-3.000000e+00          0     0.0000%    222.2222%
>      4   3.000000e+00-4.000000e+00          0     0.0000%    222.2222%
>      5   4.000000e+00-5.000000e+00          0     0.0000%    222.2222%
>
> N is off by 1, should be 8.  Rel. Freq should be 8 not 20, and of  
> course the percentages are off.
>
> Next I fed the cluster data into rahisto
>
> racluster -r file.argus -m saddr -w - | rahisto -r - -H trans 5:1
>  N = 8       mean = 3.807943  stddev = 4.015635  max = 12  min = 0
>            median = 3.500000     95% = 4
>              mode =        3
>  Class           Interval                Freq    Rel.Freq     Cum.Freq
>      1   0.000000e+00-1.000000e+00          0     0.0000%      0.0000%
>      2   1.000000e+00-2.000000e+00          0     0.0000%      0.0000%
>      3   2.000000e+00-3.000000e+00          0     0.0000%      0.0000%
>      4   3.000000e+00-4.000000e+00          5    62.5000%     62.5000%
>      5   4.000000e+00-5.000000e+00 -1798865444    
> 31201273600.0000%    31201273600.0000%
>
> N should be 4, mean should 3.5, max should be 4, rel. freq should be  
> 4 not 5, and of course the percentages are off here too.
>
>
> Nick

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090721/c8783eda/attachment.bin>

More information about the argus mailing list