strange behaviour in status field

Rodney McKee rmckee at aconex.com
Wed Oct 28 20:06:31 EDT 2009 

Carter, 

As always, awesome response. 
Hmmm, I did find it with the lt filter. Odd behavior, that being the case now can I produce a list of large flows that have the complete status? 
I have ended up using grep against the list without filtering on bytes for the specific flows I want but I would love to know if the ra toolset can deliver it. 

----- "Carter Bullard" <carter at qosient.com> wrote: 
> Hey Rodney, 
Yes this seems correct. In the first aggregation, you see Syn, Reset, Push and Ack bits 
set for the source, and Syn, Push, Ack and Fin from the Dest. This seems very reasonable. 

> 
When you are aggregating only records that have 100K bytes, in your case, you filter out 
the status record that represents the close of the connection. A lot of TCP connections have 
the termination control packets in a separate flow status report, which almost always has 
small numbers of bytes. I suspect that your filter drops the records that contain the Fin 
and Reset indicators. 

> 
What records are rejected by the filter? They should contain the Reset and Fin 
indications. So below I modified your filter to do the "less than" . 

> 




> racluster -nr 20.gz -Zb - host 72.229.139.101 and src bytes lt 100000 

> 

> 
Carter 

> 

> 

On Oct 28, 2009, at 5:31 PM, Rodney McKee wrote: 




> ok, added the status:10 
> 
> racluster -nr 20.gz -Z b -s +stime +ltime +sbytes:20 +dbytes:20 - host 72.229.139.101 
> 2009-10-20 22:38:07.705062 e s tcp 72.229.139.101.51653 -> 128.121.17.3.80 217559 222087604 SRPA_FSPA 2009-10-20 22:38:07.705062 2009-10-20 23:36:37.342957 218133107 3954497 
> 
> and 
> 
> racluster -nr 20.gz -Z b -s +stime +ltime +sbytes:20 +dbytes:20 - host 72.229.139.101 and src bytes gt 100000 
> 2009-10-20 22:38:07.705062 e s tcp 72.229.139.101.51653 -> 128.121.17.3.80 217490 222049458 SPA_SPA 2009-10-20 22:38:07.705062 2009-10-20 23:35:51.340683 218098077 3951381 
> 
> 

-- 













Rodney McKee 
Linux systems administrator 
	Aconex 
The easy way to save time and money on your project 

696 Bourke Street, Melbourne 
Tel: +61 3 9240 0200 Fax: +61 3 9240 0299 
Email: rmckee at aconex.com www.aconex.com 
This email and any attachments are intended solely for the addressee. The contents may be privileged, confidential and/or subject to copyright or other applicable law. 
No confidentiality or privilege is lost by an erroneous transmission. If you have received this e-mail in error, please let us know by reply e-mail and delete or destroy 
this mail and all copies. If you are not the intended recipient of this message you must not disseminate, copy or take any action in reliance on it. The sender takes no 
responsibility for the effect of this message upon the recipient's computer system. 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20091029/b6870820/attachment.html>

More information about the argus mailing list