Time filters

Fri Aug 20 09:35:44 EDT 2010

Hey Rafael,
With ragraph(), the first argument must be the metric you want to graph.  With the -D3 that you are using, ragraph() is confused, and it thinks all your parameters are filter.

Now this may not be your problem, but you move the -D option to the right in you commandline options, things will get better.

Ragraph() is a front end to rabins().  You may find it easier to pinpoint problems with ragraph() by running rabins() with the same parameters.

Carter 

Sent from my Verizon Wireless BlackBerry

-----Original Message-----
From: Rafael Barbosa <rrbarbosa at gmail.com>
Date: Fri, 20 Aug 2010 15:13:24 
To: Carter Bullard<carter at qosient.com>
Cc: Argus<argus-info at lists.andrew.cmu.edu>
Subject: Re: [ARGUS] Time filters

Hi,

I finally got some time for some tests. Unfortunately I see the same
behavior, I can use time filters with 'ra' but not with 'ragraph':

$ ra  -t 2009/01/22  -r file.argus -u
1232587373.545959  e         tcp         XXX     <?>         YYY      271
   65774   CON
...

$ date -r 1232587373
Thu Jan 22 02:22:53 CET 2009

$ ragraph -D5 pkts -M 5min  -t 2009/01/22  -r file.argus -title "Total Load"
-w pkts-peak.png
rabins[13409.209c0370ff7f0000]: 15:06:34.878731 ArgusFilterCompile ()
waiting for filter process 13410 on pipe 3
rabins[13410.209c0370ff7f0000]: 15:06:34.879060 ArgusFilterCompile ()
calling argus_lex_init(pkts -M 5min -t 2009/01/22 -r flows/plant-net.argus)
rabins[13410.209c0370ff7f0000]: 15:06:34.879208 ArgusFilterCompile ()
calling argus_parse()
rabins[13409.209c0370ff7f0000]: 15:06:35.078976 ArgusFilterCompile () filter
process 13410 terminated
rabins[13409.209c0370ff7f0000]: 15:06:35.079026 ArgusFilterCompile () child
13410 exited 1
rabins[13409.209c0370ff7f0000]: 15:06:35.279216 ArgusFilterCompile () done
-1
rabins[13409]: 15:06:35.279266 pkts -M 5min -t 2009/01/22 -r file.argus
filter syntax error
rabins[13409.209c0370ff7f0000]: 15:06:35.280209 ArgusShutDown (-1)
rabins[13409.209c0370ff7f0000]: 15:06:35.280274 ArgusDeleteQueue (0x500200)
returning
rabins[13409.209c0370ff7f0000]: 15:06:35.280295 ArgusDeleteQueue (0x500260)
returning
rabins[13409.209c0370ff7f0000]: 15:06:35.280463 RaParseComplete(caught
signal -1)
usage: /Users/barbosarr/workspace/argus-clients-3.0.3.17/bin/ragraph metric
(srcid | proto [daddr] | dport) [-title "title"] [ra-options]
/Users/barbosarr/workspace/argus-clients-3.0.3.17/bin/ragraph: unable to
create `/var/tmp/tmp.0.OVxUe3.rrd': start time: unparsable time:

Both ra and ragraph are the newest version:
$ which ra ragraph
/Users/barbosarr/workspace/argus-clients-3.0.3.17/bin//ra
/Users/barbosarr/workspace/argus-clients-3.0.3.17/bin//ragraph

Let me know if I can assist you somehow with further tests.

Rafael

On Fri, Aug 6, 2010 at 10:42 PM, Rafael Barbosa <rrbarbosa at gmail.com> wrote:

> I am currently on vacation (more like preparing my new house), but as soon
> as I am back in the office I will make some tests.
>
> Best regards,
> Rafael
>
>
> On Wed, Jul 28, 2010 at 4:16 PM, Carter Bullard <carter at qosient.com>wrote:
>
>> Hey Rafael,
>> I hope the new client software has corrected the problems you encountered.
>> If there is still a problem, could you send a note?
>>
>> Thanks!!!!!
>> Carter
>>
>> On Jul 14, 2010, at 4:55 AM, Rafael Barbosa wrote:
>>
>>  *From: * Rafael Barbosa <rrbarbosa at gmail.com>
>>> *Date: *Tue, 13 Jul 2010 17:08:11 +0200
>>> *To: *Carter Bullard<carter at qosient.com>
>>> *Cc: *Argus<argus-info at lists.andrew.cmu.edu>
>>> *Subject: *Re: [ARGUS] Time filters
>>>
>>> Hi,
>>>
>>> I can confirm that in version 3.0.3.15 the time filters are being handled
>>> correct by ra, I just did a few tests and in all of them I've got the
>>> expected results. However I am still not use to use ragraph together with
>>> time filters. I get the  same result as before (now with -D5 flag):
>>>
>>> $ragraph -D5 pkts -M 5min  -t 2009/01/22  -r file.argus -title "Total
>>> Load" -w pkts-peak.png
>>> rabins[21152.20cc2670ff7f0000]: 16:51:46.412716 ArgusFilterCompile ()
>>> waiting for filter process 21153 on pipe 3
>>> rabins[21153.20cc2670ff7f0000]: 16:51:46.412989 ArgusFilterCompile ()
>>> calling argus_lex_init(pkts -M 5min -t 2009/01/22 -r flie.argus)
>>> rabins[21153.20cc2670ff7f0000]: 16:51:46.413115 ArgusFilterCompile ()
>>> calling argus_parse()
>>> rabins[21152.20cc2670ff7f0000]: 16:51:46.612906 ArgusFilterCompile ()
>>> filter process 21153 terminated
>>> rabins[21152.20cc2670ff7f0000]: 16:51:46.612955 ArgusFilterCompile ()
>>> child 21153 exited 1
>>> rabins[21152.20cc2670ff7f0000]: 16:51:46.813204 ArgusFilterCompile ()
>>> done -1
>>> rabins[21152]: 16:51:46.813252 pkts -M 5min -t 2009/01/22 -r file.argus
>>> filter syntax error
>>> rabins[21152.20cc2670ff7f0000]: 16:51:46.814104 ArgusShutDown (-1)
>>> rabins[21152.20cc2670ff7f0000]: 16:51:46.814238 ArgusDeleteQueue
>>> (0x500200) returning
>>> rabins[21152.20cc2670ff7f0000]: 16:51:46.814333 ArgusDeleteQueue
>>> (0x500260) returning
>>> rabins[21152.20cc2670ff7f0000]: 16:51:46.814417 RaParseComplete(caught
>>> signal -1)
>>> usage: /Users/barbosarr/workspace/argus-clients-3.0.3.15/bin/ragraph
>>> metric (srcid | proto [daddr] | dport) [-title "title"] [ra-options]
>>> /Users/barbosarr/workspace/argus-clients-3.0.3.15/bin/ragraph: unable to
>>> create `/var/tmp/tmp.0.pU5NQN.rrd': start time: unparsable time:
>>>
>>> The patch you proposed before does not seem to be in use for version
>>> 3.0.3.15. I also tried to apply the patch myself, but the error is the same.
>>>
>>> Rafael
>>>
>>> On Tue, Jul 13, 2010 at 4:04 PM, Rafael Barbosa <rrbarbosa at gmail.com>wrote:
>>>
>>>> Did some quick tests and it seems that everything works in version
>>>> 3.0.3.15:
>>>> $./ra -D5 -t  2009/01/22.00-2009/01/22.23
>>>> ra[20791.20cc2670ff7f0000]: 15:58:35.724971 ArgusParseTime (0x512000,
>>>> 0x512108, 0x7026e960,2009,  , 0.000004) retn 1232578800: 1606413180
>>>> ra[20791.20cc2670ff7f0000]: 15:58:35.725100 ArgusParseTime (0x512000,
>>>> 0x512140, 0x512108,2009, -, 0.000004) retn 1232661600: 1606413176
>>>> ra[20791.20cc2670ff7f0000]: 15:58:35.728315 ArgusCheckTimeFormat
>>>> (0x7026e960, 2009/01/22.00-2009/01/22.23) retn 0:
>>>> 1232578800.000000-1232661600.000000
>>>> ra[20791.20cc2670ff7f0000]: 15:58:35.728330 ArgusParseTimeArg
>>>> (2009/01/22.00-2009/01/22.23, 4, 0x7026e960)
>>>>
>>>> $./ra -D5 -t  2009/01/22
>>>> ra[20787.20cc2670ff7f0000]: 15:57:08.660057 ArgusParseTime (0x512000,
>>>> 0x512108, 0x512140,2009,  , 0.000003) retn 1232578800: 1606413212
>>>> ra[20787.20cc2670ff7f0000]: 15:57:08.660308 ArgusCheckTimeFormat
>>>> (0x7026e960, 2009/01/22) retn 0: 1232578800.000000-1232665200.000000
>>>> ra[20787.20cc2670ff7f0000]: 15:57:08.660443 ArgusParseTimeArg
>>>> (2009/01/22, 4, 0x7026e960)
>>>> ra[20787.20cc2670ff7f0000]: 15:57:08.660922 ArgusAddFileList (0x512000,
>>>> -, 1, -1, -1) returning 1
>>>>
>>>> And in my system:
>>>> $date -r 1232578800
>>>> Thu Jan 22 00:00:00 CET 2009
>>>> $date -r 1232661600
>>>> Thu Jan 22 23:00:00 CET 2009
>>>> $date -r 1232665200
>>>> Fri Jan 23 00:00:00 CET 2009
>>>>
>>>> I still did not have the time to replot the graphs. However, as the time
>>>> ranges are being decoded correctly, I expect everything to be OK. I will
>>>> report back if I have any further problems with these time filters.
>>>>
>>>> Thanks,
>>>> Rafael
>>>>
>>>>
>>>> On Tue, Jul 13, 2010 at 9:47 AM, Rafael Barbosa <rrbarbosa at gmail.com>wrote:
>>>>
>>>>> I will install this version and report the results better today.
>>>>> Regarding the summer time, yes we do have it, from the last Sunday of March
>>>>> to the last Sunday of October.
>>>>>
>>>>> Rafael
>>>>>
>>>>> On Tue, Jul 13, 2010 at 4:11 AM, Carter Bullard <carter at qosient.com>wrote:
>>>>>
>>>>>> Hey Rafael
>>>>>> The new argus-clients-3.0.3.15 fixes this problem.  Please
>>>>>> give this a try on your machine to see if you don't see a correction.
>>>>>>
>>>>>>    http://qosient.com/argus/dev/argus-clients-3.0.3.15.tar.gz
>>>>>>
>>>>>> Carter
>>>>>>
>>>>>>  On Jul 12, 2010, at 11:08 AM, Rafael Barbosa wrote:
>>>>>>
>>>>>> Ok. Let me try answer all questions:
>>>>>>
>>>>>>
>>>>>> When I convert your range for Jan 22, 2009, using
>>>>>>
>>>>>> "date -r 1232492400" and "date -r 1232578800", I get the range:
>>>>>>
>>>>>>
>>>>>>>    Tue Jan 20 18:00:00 EST 2009 - Wed Jan 21 18:00:00 EST 2009
>>>>>>
>>>>>>
>>>>>>> Do you get similar results on your system?
>>>>>>
>>>>>>
>>>>>> I get a different range, by the way, I am using a MacOS X 10.6.4:
>>>>>> $ date -r 1232492400
>>>>>> Wed Jan 21 00:00:00 CET 2009
>>>>>> $ date -r 1232578800
>>>>>> Thu Jan 22 00:00:00 CET 2009
>>>>>>
>>>>>> Does this mean ra is checking the day 21 instead of 22 in my system?
>>>>>>
>>>>>> Where are you located and what timezone is your system using?
>>>>>>
>>>>>>
>>>>>> Enschede, NL - Central European Timezone (CET)
>>>>>>
>>>>>> Are you using the RA_TZ variable in your raTime.conf file? What
>>>>>>> string are you using there?
>>>>>>
>>>>>> No.
>>>>>> $ cat raTime.conf
>>>>>> RA_TIME_FORMAT="%F_%H:%M"
>>>>>>
>>>>>> What range does your client show when you use the times that do work?
>>>>>>>    ra -D5 -t  2009/01/22.00-2009/01/22.23
>>>>>>>
>>>>>> ra[9394.20cc2670ff7f0000]: 16:47:54.678576 ArgusCheckTimeFormat
>>>>>> (0x7026e960, 2009/01/22.00-2009/01/22.23) retn 0: 1232492400-1232661600
>>>>>>
>>>>>> And how does your system interpret those time ranges?
>>>>>>
>>>>>> Wed Jan 21 00:00:00 CET 2009 - Thu Jan 22 23:00:00 CET 2009
>>>>>>
>>>>>> My understanding is that the filter "2009/01/22" is checking day 21 in
>>>>>> my system while  "2009/01/22.00-2009/01/22.23" include all flows from day 21
>>>>>> until 23h at day 22. Is that correct?
>>>>>>
>>>>>> Best regards,
>>>>>> Rafael
>>>>>>
>>>>>> ps.: In my timezone is 5pm now, so I probably can only reply to a
>>>>>> follow up message tomorrow...
>>>>>>
>>>>>>
>>>>>>
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100820/e09f256b/attachment.html>