strange behaviour in status field

Carter Bullard carter at qosient.com
Wed Oct 28 19:08:30 EDT 2009 

Hey Rodney,
Yes this seems correct.  In the first aggregation, you see Syn, Reset,  
Push and Ack bits
set for the source, and Syn, Push, Ack and Fin from the Dest.  This  
seems very reasonable.

When you are aggregating only records that have 100K bytes, in your  
case, you filter out
the status record that represents the close of the connection.  A lot  
of TCP connections have
the termination control packets in a separate flow status report,  
which almost always has
small numbers of bytes.  I suspect that your filter drops the records  
that contain the Fin
and Reset indicators.

What records are rejected by the filter?  They should contain the  
Reset and Fin
indications.  So below I modified your filter to do the "less than" .

> racluster -nr 20.gz -Zb - host 72.229.139.101 and src bytes lt 100000



Carter


On Oct 28, 2009, at 5:31 PM, Rodney McKee wrote:

> ok, added the status:10
>
> racluster -nr 20.gz -Z b -s +stime +ltime +sbytes:20 +dbytes:20 -  
> host 72.229.139.101
> 2009-10-20 22:38:07.705062  e s       tcp      
> 72.229.139.101.51653     ->       128.121.17.3.80       217559   
> 222087604  SRPA_FSPA 2009-10-20 22:38:07.705062 2009-10-20  
> 23:36:37.342957            218133107              3954497
>
> and
>
> racluster -nr 20.gz -Z b -s +stime +ltime +sbytes:20 +dbytes:20 -  
> host 72.229.139.101 and src bytes gt 100000
> 2009-10-20 22:38:07.705062  e s       tcp      
> 72.229.139.101.51653     ->       128.121.17.3.80       217490   
> 222049458    SPA_SPA 2009-10-20 22:38:07.705062 2009-10-20  
> 23:35:51.340683            218098077              3951381
>
>
> ----- "Carter Bullard" <carter at qosient.com> wrote:
> > Hey Rodney,
> Yes this seems reasonable.  Filtering can definitely change the  
> contents
> of the status field.   You don't have enough space in your "status"  
> directive
> to show all the status bits, so to see the "_S" show up when the "R"  
> goes away (status
> values shifting left), definitely seems correct.
>
> >
> In your .rarc, specify "status:10" to have enough space to get all  
> the letters printed.
>
> >
> Carter
>
> >
> On Oct 28, 2009, at 4:38 PM, Rodney McKee wrote:
>
> > Is this expected?
> > It appears that I'm getting different status flags if I add the  
> src bytes filter. I'm using the filter to reduce the numbers of  
> records displayed.
> >
> > racluster -nr 20.gz -Z b - host 72.229.139.101
> > 2009-10-20 22:38:07.705062  e s       tcp      
> 72.229.139.101.51653     ->       128.121.17.3.80       217559   
> 222087604 SRPA_
> >
> > racluster -nr 20.gz -Z b -s +stime +ltime +sbytes +dbytes - host  
> 72.229.139.101
> > 2009-10-20 22:38:07.705062  e s       tcp      
> 72.229.139.101.51653     ->       128.121.17.3.80       217559   
> 222087604 SRPA_ 2009-10-20 22:38:07.705062 2009-10-20  
> 23:36:37.342957    218133107      3954497
> >
> >
> > racluster -nr 20.gz -Z b -s +stime +ltime +sbytes +dbytes - host  
> 72.229.139.101 and src bytes gt 100000
> > 2009-10-20 22:38:07.705062  e s       tcp      
> 72.229.139.101.51653     ->       128.121.17.3.80       217490   
> 222049458 SPA_S 2009-10-20 22:38:07.705062 2009-10-20  
> 23:35:51.340683    218098077      3951381
> >
> > racluster -nr 20.gz -Z b - host 72.229.139.101 and src bytes gt  
> 100000
> > 2009-10-20 22:38:07.705062  e s       tcp      
> 72.229.139.101.51653     ->       128.121.17.3.80       217490   
> 222049458 SPA_S
> >
> > Rgds
> > Rodney McKee
> >
>
> >
>
> >
>
> -- 
>
> Rodney McKee
> Linux systems administrator
> Aconex
> The easy way to save time and money on your project
>
> 696 Bourke Street, Melbourne
> Tel: +61 3 9240 0200               Fax: +61 3 9240 0299
> Email: rmckee at aconex.com      www.aconex.com
> This email and any attachments are intended solely for the  
> addressee. The contents may be privileged, confidential and/or  
> subject to copyright or other applicable law.
> No confidentiality or privilege is lost by an erroneous  
> transmission. If you have received this e-mail in error, please let  
> us know by reply e-mail and delete or destroy
> this mail and all copies. If you are not the intended recipient of  
> this message you must not disseminate, copy or take any action in  
> reliance on it. The sender takes no
> responsibility for the effect of this message upon the recipient's  
> computer system.
>
>
>
>

Carter Bullard
CEO/President
QoSient, LLC
150 E 57th Street Suite 12D
New York, New York  10022

+1 212 588-9133 Phone
+1 212 588-9134 Fax



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20091028/57f16203/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20091028/57f16203/attachment.bin>

More information about the argus mailing list