filtering by total bytes

Carter Bullard carter at qosient.com
Fri Apr 16 10:43:54 EDT 2010 

Hey Rodney,
Sorry I missed your email!!!  Can you send me a sample of flows that exhibit this problem?
It maybe that when the compiler fetches the 64-bit long long for the comparison, it grabs
something that is not aligned in your data.  I can't seem to replicate this with my data.

Carter

On Mar 11, 2010, at 7:28 PM, Rodney McKee wrote:

> Hello,
> 
> Just trying to filter out some of the larger flows with "bytes gt 1000000", and it reduced the number of flows as expected. Then tried to reduce it further with "bytes gt 1500000" expecting it would return at least some of the entries below.
> 
> Am I missing something here?
> 
> $ racluster -nr fw?.03* -s +load +sload +dload +bytes - port 12020 and host yyy.yyy.yyy.yyy and bytes gt 1000000
> ...
> 2009-12-03 17:56:04.789897  e         tcp      xxx.xxx.xxx.xxx.49816     ->     yyy.yyy.yyy.yyy.12020     11580             11736264             CON 2096867. 47820.24 18352352             11736264
> 2009-12-03 18:00:13.138702  e         tcp      xxx.xxx.xxx.xxx.56439     ->     yyy.yyy.yyy.yyy.12020      1409              1415178             CON 2382021. 54764.62 2326324.              1415178
> 2009-12-03 18:00:13.379679  e         tcp      xxx.xxx.xxx.xxx.56438     ->     yyy.yyy.yyy.yyy.12020      4238              4246460             CON 2301080. 53225.92 7028546.              4246460
> 2009-12-03 18:00:26.504711  e         tcp      xxx.xxx.xxx.xxx.56433     ->     yyy.yyy.yyy.yyy.12020      1158              1168092             CON 1975618. 45571.41 1929100.              1168092
> 2009-12-03 18:10:12.665753  e         tcp      xxx.xxx.xxx.xxx.55054     ->     yyy.yyy.yyy.yyy.12020      4255              4247654             CON 2299767. 53823.88 6988820.              4247654
> 2009-12-03 18:11:12.368370  e         tcp      xxx.xxx.xxx.xxx.55119     ->     yyy.yyy.yyy.yyy.12020      1338              1336652             CON 2139327. 49779.52 2088657.              1336652
> 
> $ racluster -nr fw?.03* -s +load +sload +dload +bytes - port 12020 and host yyy.yyy.yyy.yyy and bytes gt 1500000
> 

Carter Bullard
CEO/President
QoSient, LLC
150 E 57th Street Suite 12D
New York, New York  10022

+1 212 588-9133 Phone
+1 212 588-9134 Fax



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100416/e2c6fc0d/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100416/e2c6fc0d/attachment.bin>

More information about the argus mailing list