Racluster discarding packet loss data
Bart Roos
roos at fox-it.com
Thu Jan 28 11:51:40 EST 2010
Hi Carter,
Did you already manage to fix this particular bug?
Thanks,
Bart
-----Original Message-----
From: argus-info-bounces+roos=fox-it.com at lists.andrew.cmu.edu [mailto:argus-info-bounces+roos=fox-it.com at lists.andrew.cmu.edu] On Behalf Of Carter Bullard
Sent: maandag 14 december 2009 16:12
To: Bart Roos
Cc: argus-info at lists.andrew.cmu.edu
Subject: Re: [ARGUS] Racluster discarding packet loss data
Hey Bart,
Looks like we've got a bug and I don't have a fix yet, but I do have a
potential work around for you.
If you run racluster() using default parameters before running
racluster()
with the flow key modificatons, you'll get loss back (at least for
this file).
racluster -w - -r argus.log* | racluster -s +loss -m proto saddr
There are 3 types of TCP DSR's, and it maybe that the bug is in dealing
with the loss stats when merging with a TCP matching flow that uses
a different TCP DSR (that doesn't have loss stats).
Try this work around, and I'll look for a fix later today,
Carter
On Dec 13, 2009, at 8:04 AM, Bart Roos wrote:
> Hello everyone,
>
> I am trying to collect packet loss data for a particular host in a LAN
> segment using the following racluster command:
>
> $ racluster -r argus.log -m saddr -s loss - tcp and src host
> 10.10.0.12
> 0
>
> The racluster output does not report any packet loss, but counting the
> packet loss from individual argus records does show some loss:
>
> $ ra -r argus.log -s loss - tcp and src host 10.10.0.12 | \
> awk '{c+=$1;} END {print c;}'
> 217
>
> Why is racluster discarding the packet loss data? Is this a bug, or
> am I
> doing something wrong? I'm running the 3.0.2 server and clients.
>
> Thanks,
> Bart
>
More information about the argus
mailing list