strange behaviour in status field

Carter Bullard carter at qosient.com
Wed Oct 28 23:24:04 EDT 2009 

Normally you take the file and process it with racluster(), with no  
options, and all the
unique flows will be consolidated.  Once they are consolidated, you  
can then do
the testing for flow characteristics.

    racluster -r  20.gz -w - | ra -Zb - host 72.229.139.101 and src  
bytes gt 100000

Carter

On Oct 28, 2009, at 8:06 PM, Rodney McKee wrote:

> Carter,
>
> As always, awesome response.
> Hmmm, I did find it with the lt filter. Odd behavior, that being the  
> case now can I produce a list of large flows that have the complete  
> status?
> I have ended up using grep against the list without filtering on  
> bytes for the specific flows I want but I would love to know if the  
> ra toolset can deliver it.
>
> ----- "Carter Bullard" <carter at qosient.com> wrote:
> > Hey Rodney,
> Yes this seems correct.  In the first aggregation, you see Syn,  
> Reset, Push and Ack bits
> set for the source, and Syn, Push, Ack and Fin from the Dest.  This  
> seems very reasonable.
>
> >
> When you are aggregating only records that have 100K bytes, in your  
> case, you filter out
> the status record that represents the close of the connection.  A  
> lot of TCP connections have
> the termination control packets in a separate flow status report,  
> which almost always has
> small numbers of bytes.  I suspect that your filter drops the  
> records that contain the Fin
> and Reset indicators.
>
> >
> What records are rejected by the filter?  They should contain the  
> Reset and Fin
> indications.  So below I modified your filter to do the "less than" .
>
> >
> > racluster -nr 20.gz -Zb - host 72.229.139.101 and src bytes lt  
> 100000
>
> >
>
> >
> Carter
>
> >
>
> >
> On Oct 28, 2009, at 5:31 PM, Rodney McKee wrote:
>
> > ok, added the status:10
> >
> > racluster -nr 20.gz -Z b -s +stime +ltime +sbytes:20 +dbytes:20 -  
> host 72.229.139.101
> > 2009-10-20 22:38:07.705062  e s       tcp      
> 72.229.139.101.51653     ->       128.121.17.3.80       217559   
> 222087604  SRPA_FSPA 2009-10-20 22:38:07.705062 2009-10-20  
> 23:36:37.342957            218133107              3954497
> >
> > and
> >
> > racluster -nr 20.gz -Z b -s +stime +ltime +sbytes:20 +dbytes:20 -  
> host 72.229.139.101 and src bytes gt 100000
> > 2009-10-20 22:38:07.705062  e s       tcp      
> 72.229.139.101.51653     ->       128.121.17.3.80       217490   
> 222049458    SPA_SPA 2009-10-20 22:38:07.705062 2009-10-20  
> 23:35:51.340683            218098077              3951381
> >
> >
>
> -- 
>
> Rodney McKee
> Linux systems administrator
> Aconex
> The easy way to save time and money on your project
>
> 696 Bourke Street, Melbourne
> Tel: +61 3 9240 0200               Fax: +61 3 9240 0299
> Email: rmckee at aconex.com      www.aconex.com
> This email and any attachments are intended solely for the  
> addressee. The contents may be privileged, confidential and/or  
> subject to copyright or other applicable law.
> No confidentiality or privilege is lost by an erroneous  
> transmission. If you have received this e-mail in error, please let  
> us know by reply e-mail and delete or destroy
> this mail and all copies. If you are not the intended recipient of  
> this message you must not disseminate, copy or take any action in  
> reliance on it. The sender takes no
> responsibility for the effect of this message upon the recipient's  
> computer system.
>
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20091028/1c3cfe81/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20091028/1c3cfe81/attachment.bin>

More information about the argus mailing list