Time filters

Rafael Barbosa rrbarbosa at gmail.com
Fri Aug 20 10:19:46 EDT 2010


Yes I see my error with the -D option. I had also incorrectly changed
ragraph() to use a older version of rabins(), thus the problems... It seems
that ragraph()/rabins() are working properly with time filters.

Sorry for the incorrect report.

Rafael

On Fri, Aug 20, 2010 at 3:35 PM, <carter at qosient.com> wrote:

> Hey Rafael,
> With ragraph(), the first argument must be the metric you want to graph.
> With the -D3 that you are using, ragraph() is confused, and it thinks all
> your parameters are filter.
>
> Now this may not be your problem, but you move the -D option to the right
> in you commandline options, things will get better.
>
> Ragraph() is a front end to rabins(). You may find it easier to pinpoint
> problems with ragraph() by running rabins() with the same parameters.
>
>
> Carter
>
> Sent from my Verizon Wireless BlackBerry
> ------------------------------
> *From: * Rafael Barbosa <rrbarbosa at gmail.com>
> *Date: *Fri, 20 Aug 2010 15:13:24 +0200
> *To: *Carter Bullard<carter at qosient.com>
> *Cc: *Argus<argus-info at lists.andrew.cmu.edu>
> *Subject: *Re: [ARGUS] Time filters
>
> Hi,
>
> I finally got some time for some tests. Unfortunately I see the same
> behavior, I can use time filters with 'ra' but not with 'ragraph':
>
> $ ra  -t 2009/01/22  -r file.argus -u
> 1232587373.545959  e         tcp         XXX     <?>         YYY      271
>    65774   CON
> ...
>
> $ date -r 1232587373
> Thu Jan 22 02:22:53 CET 2009
>
> $ ragraph -D5 pkts -M 5min  -t 2009/01/22  -r file.argus -title "Total
> Load" -w pkts-peak.png
> rabins[13409.209c0370ff7f0000]: 15:06:34.878731 ArgusFilterCompile ()
> waiting for filter process 13410 on pipe 3
> rabins[13410.209c0370ff7f0000]: 15:06:34.879060 ArgusFilterCompile ()
> calling argus_lex_init(pkts -M 5min -t 2009/01/22 -r flows/plant-net.argus)
> rabins[13410.209c0370ff7f0000]: 15:06:34.879208 ArgusFilterCompile ()
> calling argus_parse()
> rabins[13409.209c0370ff7f0000]: 15:06:35.078976 ArgusFilterCompile ()
> filter process 13410 terminated
> rabins[13409.209c0370ff7f0000]: 15:06:35.079026 ArgusFilterCompile () child
> 13410 exited 1
> rabins[13409.209c0370ff7f0000]: 15:06:35.279216 ArgusFilterCompile () done
> -1
> rabins[13409]: 15:06:35.279266 pkts -M 5min -t 2009/01/22 -r file.argus
> filter syntax error
> rabins[13409.209c0370ff7f0000]: 15:06:35.280209 ArgusShutDown (-1)
> rabins[13409.209c0370ff7f0000]: 15:06:35.280274 ArgusDeleteQueue (0x500200)
> returning
> rabins[13409.209c0370ff7f0000]: 15:06:35.280295 ArgusDeleteQueue (0x500260)
> returning
> rabins[13409.209c0370ff7f0000]: 15:06:35.280463 RaParseComplete(caught
> signal -1)
> usage: /Users/barbosarr/workspace/argus-clients-3.0.3.17/bin/ragraph metric
> (srcid | proto [daddr] | dport) [-title "title"] [ra-options]
> /Users/barbosarr/workspace/argus-clients-3.0.3.17/bin/ragraph: unable to
> create `/var/tmp/tmp.0.OVxUe3.rrd': start time: unparsable time:
>
> Both ra and ragraph are the newest version:
> $ which ra ragraph
> /Users/barbosarr/workspace/argus-clients-3.0.3.17/bin//ra
> /Users/barbosarr/workspace/argus-clients-3.0.3.17/bin//ragraph
>
> Let me know if I can assist you somehow with further tests.
>
> Rafael
>
> On Fri, Aug 6, 2010 at 10:42 PM, Rafael Barbosa <rrbarbosa at gmail.com>wrote:
>
>> I am currently on vacation (more like preparing my new house), but as soon
>> as I am back in the office I will make some tests.
>>
>> Best regards,
>> Rafael
>>
>>
>>  On Wed, Jul 28, 2010 at 4:16 PM, Carter Bullard <carter at qosient.com>wrote:
>>
>>> Hey Rafael,
>>> I hope the new client software has corrected the problems you
>>> encountered.
>>> If there is still a problem, could you send a note?
>>>
>>> Thanks!!!!!
>>> Carter
>>>
>>> On Jul 14, 2010, at 4:55 AM, Rafael Barbosa wrote:
>>>
>>>  *From: * Rafael Barbosa <rrbarbosa at gmail.com>
>>>> *Date: *Tue, 13 Jul 2010 17:08:11 +0200
>>>> *To: *Carter Bullard<carter at qosient.com>
>>>> *Cc: *Argus<argus-info at lists.andrew.cmu.edu>
>>>> *Subject: *Re: [ARGUS] Time filters
>>>>
>>>> Hi,
>>>>
>>>> I can confirm that in version 3.0.3.15 the time filters are being
>>>> handled correct by ra, I just did a few tests and in all of them I've got
>>>> the expected results. However I am still not use to use ragraph together
>>>> with time filters. I get the  same result as before (now with -D5 flag):
>>>>
>>>> $ragraph -D5 pkts -M 5min  -t 2009/01/22  -r file.argus -title "Total
>>>> Load" -w pkts-peak.png
>>>> rabins[21152.20cc2670ff7f0000]: 16:51:46.412716 ArgusFilterCompile ()
>>>> waiting for filter process 21153 on pipe 3
>>>> rabins[21153.20cc2670ff7f0000]: 16:51:46.412989 ArgusFilterCompile ()
>>>> calling argus_lex_init(pkts -M 5min -t 2009/01/22 -r flie.argus)
>>>> rabins[21153.20cc2670ff7f0000]: 16:51:46.413115 ArgusFilterCompile ()
>>>> calling argus_parse()
>>>> rabins[21152.20cc2670ff7f0000]: 16:51:46.612906 ArgusFilterCompile ()
>>>> filter process 21153 terminated
>>>> rabins[21152.20cc2670ff7f0000]: 16:51:46.612955 ArgusFilterCompile ()
>>>> child 21153 exited 1
>>>> rabins[21152.20cc2670ff7f0000]: 16:51:46.813204 ArgusFilterCompile ()
>>>> done -1
>>>> rabins[21152]: 16:51:46.813252 pkts -M 5min -t 2009/01/22 -r file.argus
>>>> filter syntax error
>>>> rabins[21152.20cc2670ff7f0000]: 16:51:46.814104 ArgusShutDown (-1)
>>>> rabins[21152.20cc2670ff7f0000]: 16:51:46.814238 ArgusDeleteQueue
>>>> (0x500200) returning
>>>> rabins[21152.20cc2670ff7f0000]: 16:51:46.814333 ArgusDeleteQueue
>>>> (0x500260) returning
>>>> rabins[21152.20cc2670ff7f0000]: 16:51:46.814417 RaParseComplete(caught
>>>> signal -1)
>>>> usage: /Users/barbosarr/workspace/argus-clients-3.0.3.15/bin/ragraph
>>>> metric (srcid | proto [daddr] | dport) [-title "title"] [ra-options]
>>>> /Users/barbosarr/workspace/argus-clients-3.0.3.15/bin/ragraph: unable to
>>>> create `/var/tmp/tmp.0.pU5NQN.rrd': start time: unparsable time:
>>>>
>>>> The patch you proposed before does not seem to be in use for version
>>>> 3.0.3.15. I also tried to apply the patch myself, but the error is the same.
>>>>
>>>> Rafael
>>>>
>>>> On Tue, Jul 13, 2010 at 4:04 PM, Rafael Barbosa <rrbarbosa at gmail.com>wrote:
>>>>
>>>>> Did some quick tests and it seems that everything works in version
>>>>> 3.0.3.15:
>>>>> $./ra -D5 -t  2009/01/22.00-2009/01/22.23
>>>>> ra[20791.20cc2670ff7f0000]: 15:58:35.724971 ArgusParseTime (0x512000,
>>>>> 0x512108, 0x7026e960,2009,  , 0.000004) retn 1232578800: 1606413180
>>>>> ra[20791.20cc2670ff7f0000]: 15:58:35.725100 ArgusParseTime (0x512000,
>>>>> 0x512140, 0x512108,2009, -, 0.000004) retn 1232661600: 1606413176
>>>>> ra[20791.20cc2670ff7f0000]: 15:58:35.728315 ArgusCheckTimeFormat
>>>>> (0x7026e960, 2009/01/22.00-2009/01/22.23) retn 0:
>>>>> 1232578800.000000-1232661600.000000
>>>>> ra[20791.20cc2670ff7f0000]: 15:58:35.728330 ArgusParseTimeArg
>>>>> (2009/01/22.00-2009/01/22.23, 4, 0x7026e960)
>>>>>
>>>>> $./ra -D5 -t  2009/01/22
>>>>> ra[20787.20cc2670ff7f0000]: 15:57:08.660057 ArgusParseTime (0x512000,
>>>>> 0x512108, 0x512140,2009,  , 0.000003) retn 1232578800: 1606413212
>>>>> ra[20787.20cc2670ff7f0000]: 15:57:08.660308 ArgusCheckTimeFormat
>>>>> (0x7026e960, 2009/01/22) retn 0: 1232578800.000000-1232665200.000000
>>>>> ra[20787.20cc2670ff7f0000]: 15:57:08.660443 ArgusParseTimeArg
>>>>> (2009/01/22, 4, 0x7026e960)
>>>>> ra[20787.20cc2670ff7f0000]: 15:57:08.660922 ArgusAddFileList (0x512000,
>>>>> -, 1, -1, -1) returning 1
>>>>>
>>>>> And in my system:
>>>>> $date -r 1232578800
>>>>> Thu Jan 22 00:00:00 CET 2009
>>>>> $date -r 1232661600
>>>>> Thu Jan 22 23:00:00 CET 2009
>>>>> $date -r 1232665200
>>>>> Fri Jan 23 00:00:00 CET 2009
>>>>>
>>>>> I still did not have the time to replot the graphs. However, as the
>>>>> time ranges are being decoded correctly, I expect everything to be OK. I
>>>>> will report back if I have any further problems with these time filters.
>>>>>
>>>>> Thanks,
>>>>> Rafael
>>>>>
>>>>>
>>>>> On Tue, Jul 13, 2010 at 9:47 AM, Rafael Barbosa <rrbarbosa at gmail.com>wrote:
>>>>>
>>>>>> I will install this version and report the results better today.
>>>>>> Regarding the summer time, yes we do have it, from the last Sunday of March
>>>>>> to the last Sunday of October.
>>>>>>
>>>>>> Rafael
>>>>>>
>>>>>> On Tue, Jul 13, 2010 at 4:11 AM, Carter Bullard <carter at qosient.com>wrote:
>>>>>>
>>>>>>> Hey Rafael
>>>>>>> The new argus-clients-3.0.3.15 fixes this problem.  Please
>>>>>>> give this a try on your machine to see if you don't see a correction.
>>>>>>>
>>>>>>>    http://qosient.com/argus/dev/argus-clients-3.0.3.15.tar.gz
>>>>>>>
>>>>>>> Carter
>>>>>>>
>>>>>>>  On Jul 12, 2010, at 11:08 AM, Rafael Barbosa wrote:
>>>>>>>
>>>>>>> Ok. Let me try answer all questions:
>>>>>>>
>>>>>>>
>>>>>>> When I convert your range for Jan 22, 2009, using
>>>>>>>
>>>>>>> "date -r 1232492400" and "date -r 1232578800", I get the range:
>>>>>>>
>>>>>>>
>>>>>>>>    Tue Jan 20 18:00:00 EST 2009 - Wed Jan 21 18:00:00 EST 2009
>>>>>>>
>>>>>>>
>>>>>>>> Do you get similar results on your system?
>>>>>>>
>>>>>>>
>>>>>>> I get a different range, by the way, I am using a MacOS X 10.6.4:
>>>>>>> $ date -r 1232492400
>>>>>>> Wed Jan 21 00:00:00 CET 2009
>>>>>>> $ date -r 1232578800
>>>>>>> Thu Jan 22 00:00:00 CET 2009
>>>>>>>
>>>>>>> Does this mean ra is checking the day 21 instead of 22 in my system?
>>>>>>>
>>>>>>> Where are you located and what timezone is your system using?
>>>>>>>
>>>>>>>
>>>>>>> Enschede, NL - Central European Timezone (CET)
>>>>>>>
>>>>>>> Are you using the RA_TZ variable in your raTime.conf file? What
>>>>>>>> string are you using there?
>>>>>>>
>>>>>>> No.
>>>>>>> $ cat raTime.conf
>>>>>>> RA_TIME_FORMAT="%F_%H:%M"
>>>>>>>
>>>>>>> What range does your client show when you use the times that do work?
>>>>>>>>    ra -D5 -t  2009/01/22.00-2009/01/22.23
>>>>>>>>
>>>>>>> ra[9394.20cc2670ff7f0000]: 16:47:54.678576 ArgusCheckTimeFormat
>>>>>>> (0x7026e960, 2009/01/22.00-2009/01/22.23) retn 0: 1232492400-1232661600
>>>>>>>
>>>>>>> And how does your system interpret those time ranges?
>>>>>>>
>>>>>>> Wed Jan 21 00:00:00 CET 2009 - Thu Jan 22 23:00:00 CET 2009
>>>>>>>
>>>>>>> My understanding is that the filter "2009/01/22" is checking day 21
>>>>>>> in my system while  "2009/01/22.00-2009/01/22.23" include all flows from day
>>>>>>> 21 until 23h at day 22. Is that correct?
>>>>>>>
>>>>>>> Best regards,
>>>>>>> Rafael
>>>>>>>
>>>>>>> ps.: In my timezone is 5pm now, so I probably can only reply to a
>>>>>>> follow up message tomorrow...
>>>>>>>
>>>>>>>
>>>>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100820/04d71e5c/attachment.html>


More information about the argus mailing list