Racluster discarding packet loss data

Bart Roos roos at fox-it.com
Thu Jan 28 11:51:40 EST 2010


Hi Carter,

Did you already manage to fix this particular bug?

Thanks,
Bart

-----Original Message-----
From: argus-info-bounces+roos=fox-it.com at lists.andrew.cmu.edu [mailto:argus-info-bounces+roos=fox-it.com at lists.andrew.cmu.edu] On Behalf Of Carter Bullard
Sent: maandag 14 december 2009 16:12
To: Bart Roos
Cc: argus-info at lists.andrew.cmu.edu
Subject: Re: [ARGUS] Racluster discarding packet loss data

Hey Bart,
Looks like we've got a bug and I don't have a fix yet, but I do have a
potential work around for you.

If you run racluster() using default parameters before running  
racluster()
with the flow key modificatons, you'll get loss back (at least for  
this file).

    racluster -w -  -r argus.log* | racluster -s +loss -m proto saddr

There are 3 types of TCP DSR's, and it maybe that the bug is in dealing
with the loss stats when merging with a TCP matching flow that uses
a different TCP DSR (that doesn't have loss stats).

Try this work around, and I'll look for a fix later today,

Carter

On Dec 13, 2009, at 8:04 AM, Bart Roos wrote:

> Hello everyone,
>
> I am trying to collect packet loss data for a particular host in a LAN
> segment using the following racluster command:
>
> $ racluster -r argus.log -m saddr -s loss - tcp and src host  
> 10.10.0.12
>         0
>
> The racluster output does not report any packet loss, but counting the
> packet loss from individual argus records does show some loss:
>
> $ ra -r argus.log -s loss - tcp and src host 10.10.0.12 | \
>  awk '{c+=$1;} END {print c;}'
> 217
>
> Why is racluster discarding the packet loss data? Is this a bug, or  
> am I
> doing something wrong? I'm running the 3.0.2 server and clients.
>
> Thanks,
> Bart
>




More information about the argus mailing list