racluster and trans

Rafael Barbosa rrbarbosa at gmail.com
Wed Jul 21 11:04:28 EDT 2010 

 Hi,

I have been having some problem with inconsistent ouptut from ragraph
ploting Trans. I get different graphs comparing the results from "original"
from the ones reduced with racluster.

I dug a bit and a found this old bug that might be related(
http://thread.gmane.org/gmane.network.argus/6686/focus=6741):

Second, it seems racluster isn't adding up the trans field correctly, here
> is an example


> ra -r file.argus -s saddr trans

      27.8.77.166      1

      27.8.77.166      1

      18.9.27.219      1

      18.9.27.219      1

     18.86.96.147      1

     18.86.96.147      1

    19.32.203.136      1

    19.32.203.136      1


> racluster -r file.argus -m saddr -s saddr trans

    19.32.203.136      4

     18.86.96.147      3

      18.9.27.219      4

      27.8.77.166      3


This is what I get when I run something similar in one of my files:

ra -r file.argus -s saddr trans | sort
        10.16.4.11      1
        10.16.4.12      1
        10.16.4.21      1
        10.16.4.21      1
        10.16.4.21      1
        10.16.4.21      1
        10.16.4.21      1
        10.16.4.21      1
        10.16.4.21      1
        10.16.4.21      1
        10.16.4.21      1
        10.16.4.21      1
        10.16.4.21      1
        10.16.4.21      1
        10.16.4.21      1
        10.16.4.22      1
        10.16.4.53      1
        10.16.4.53      1
        10.16.4.54      1
        10.16.4.54      1
        10.16.4.55      1
        10.16.4.71      1
        10.16.4.71      1
       10.16.5.249      1
racluster -r file.argus -m saddr -s saddr trans | sort
        10.16.4.11      1
        10.16.4.12      1
        10.16.4.21     13
        10.16.4.22      1
        10.16.4.53      1
        10.16.4.54      2
        10.16.4.55      1
        10.16.4.71      2
       10.16.5.249      1

The count for 10.16.4.53 should be 2. I think there is a bug in racluster
when calculating trans. Here is another weird result:
ra -r big.file -N 100 -w test
racluster -r test -w test.cluster
rabins -m srcid -M hard time 5s -r test -s stime trans
   14:37:15.000000     62
   14:37:20.000000     72
   14:37:25.000000     19
rabins -m srcid -M hard time 5s -r test.cluster -s stime trans
   14:37:15.000000     81
   14:37:20.000000     76
   14:37:25.000000     36

I get the same result if I use rasplit and later on racluster, instead of
rabins.

Thanks,
Rafael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100721/cd3446ee/attachment.html>

More information about the argus mailing list