Time filters

Wed Jul 28 10:16:42 EDT 2010

Hey Rafael,
I hope the new client software has corrected the problems you encountered.
If there is still a problem, could you send a note?

Thanks!!!!!
Carter

On Jul 14, 2010, at 4:55 AM, Rafael Barbosa wrote:

> From: Rafael Barbosa <rrbarbosa at gmail.com>
> Date: Tue, 13 Jul 2010 17:08:11 +0200
> To: Carter Bullard<carter at qosient.com>
> Cc: Argus<argus-info at lists.andrew.cmu.edu>
> Subject: Re: [ARGUS] Time filters
> 
> Hi,
> 
> I can confirm that in version 3.0.3.15 the time filters are being handled correct by ra, I just did a few tests and in all of them I've got the expected results. However I am still not use to use ragraph together with time filters. I get the  same result as before (now with -D5 flag):
> 
> $ragraph -D5 pkts -M 5min  -t 2009/01/22  -r file.argus -title "Total Load" -w pkts-peak.png
> rabins[21152.20cc2670ff7f0000]: 16:51:46.412716 ArgusFilterCompile () waiting for filter process 21153 on pipe 3
> rabins[21153.20cc2670ff7f0000]: 16:51:46.412989 ArgusFilterCompile () calling argus_lex_init(pkts -M 5min -t 2009/01/22 -r flie.argus)
> rabins[21153.20cc2670ff7f0000]: 16:51:46.413115 ArgusFilterCompile () calling argus_parse()
> rabins[21152.20cc2670ff7f0000]: 16:51:46.612906 ArgusFilterCompile () filter process 21153 terminated
> rabins[21152.20cc2670ff7f0000]: 16:51:46.612955 ArgusFilterCompile () child 21153 exited 1
> rabins[21152.20cc2670ff7f0000]: 16:51:46.813204 ArgusFilterCompile () done -1
> rabins[21152]: 16:51:46.813252 pkts -M 5min -t 2009/01/22 -r file.argus filter syntax error
> rabins[21152.20cc2670ff7f0000]: 16:51:46.814104 ArgusShutDown (-1)
> rabins[21152.20cc2670ff7f0000]: 16:51:46.814238 ArgusDeleteQueue (0x500200) returning
> rabins[21152.20cc2670ff7f0000]: 16:51:46.814333 ArgusDeleteQueue (0x500260) returning
> rabins[21152.20cc2670ff7f0000]: 16:51:46.814417 RaParseComplete(caught signal -1)
> usage: /Users/barbosarr/workspace/argus-clients-3.0.3.15/bin/ragraph metric (srcid | proto [daddr] | dport) [-title "title"] [ra-options]
> /Users/barbosarr/workspace/argus-clients-3.0.3.15/bin/ragraph: unable to create `/var/tmp/tmp.0.pU5NQN.rrd': start time: unparsable time:
> 
> The patch you proposed before does not seem to be in use for version 3.0.3.15. I also tried to apply the patch myself, but the error is the same.
> 
> Rafael
> 
> On Tue, Jul 13, 2010 at 4:04 PM, Rafael Barbosa <rrbarbosa at gmail.com> wrote:
> Did some quick tests and it seems that everything works in version 3.0.3.15:
> $./ra -D5 -t  2009/01/22.00-2009/01/22.23
> ra[20791.20cc2670ff7f0000]: 15:58:35.724971 ArgusParseTime (0x512000, 0x512108, 0x7026e960,2009,  , 0.000004) retn 1232578800: 1606413180
> ra[20791.20cc2670ff7f0000]: 15:58:35.725100 ArgusParseTime (0x512000, 0x512140, 0x512108,2009, -, 0.000004) retn 1232661600: 1606413176
> ra[20791.20cc2670ff7f0000]: 15:58:35.728315 ArgusCheckTimeFormat (0x7026e960, 2009/01/22.00-2009/01/22.23) retn 0: 1232578800.000000-1232661600.000000
> ra[20791.20cc2670ff7f0000]: 15:58:35.728330 ArgusParseTimeArg (2009/01/22.00-2009/01/22.23, 4, 0x7026e960)
> 
> $./ra -D5 -t  2009/01/22
> ra[20787.20cc2670ff7f0000]: 15:57:08.660057 ArgusParseTime (0x512000, 0x512108, 0x512140,2009,  , 0.000003) retn 1232578800: 1606413212
> ra[20787.20cc2670ff7f0000]: 15:57:08.660308 ArgusCheckTimeFormat (0x7026e960, 2009/01/22) retn 0: 1232578800.000000-1232665200.000000
> ra[20787.20cc2670ff7f0000]: 15:57:08.660443 ArgusParseTimeArg (2009/01/22, 4, 0x7026e960)
> ra[20787.20cc2670ff7f0000]: 15:57:08.660922 ArgusAddFileList (0x512000, -, 1, -1, -1) returning 1
> 
> And in my system:
> $date -r 1232578800
> Thu Jan 22 00:00:00 CET 2009
> $date -r 1232661600
> Thu Jan 22 23:00:00 CET 2009
> $date -r 1232665200
> Fri Jan 23 00:00:00 CET 2009
> 
> I still did not have the time to replot the graphs. However, as the time ranges are being decoded correctly, I expect everything to be OK. I will report back if I have any further problems with these time filters.
> 
> Thanks,
> Rafael
> 
> 
> On Tue, Jul 13, 2010 at 9:47 AM, Rafael Barbosa <rrbarbosa at gmail.com> wrote:
> I will install this version and report the results better today. Regarding the summer time, yes we do have it, from the last Sunday of March to the last Sunday of October.
> 
> Rafael
> 
> On Tue, Jul 13, 2010 at 4:11 AM, Carter Bullard <carter at qosient.com> wrote:
> Hey Rafael
> The new argus-clients-3.0.3.15 fixes this problem.  Please
> give this a try on your machine to see if you don't see a correction.
> 
>    http://qosient.com/argus/dev/argus-clients-3.0.3.15.tar.gz
> 
> Carter
> 
> On Jul 12, 2010, at 11:08 AM, Rafael Barbosa wrote:
> 
>> Ok. Let me try answer all questions:
>> 
>> When I convert your range for Jan 22, 2009, using
>> "date -r 1232492400" and "date -r 1232578800", I get the range:
>> 
>>    Tue Jan 20 18:00:00 EST 2009 - Wed Jan 21 18:00:00 EST 2009
>> 
>> Do you get similar results on your system?
>> 
>> I get a different range, by the way, I am using a MacOS X 10.6.4:
>> $ date -r 1232492400
>> Wed Jan 21 00:00:00 CET 2009
>> $ date -r 1232578800
>> Thu Jan 22 00:00:00 CET 2009
>> 
>> Does this mean ra is checking the day 21 instead of 22 in my system?
>> 
>> Where are you located and what timezone is your system using?
>> 
>> Enschede, NL - Central European Timezone (CET)
>> 
>> Are you using the RA_TZ variable in your raTime.conf file? What string are you using there?
>> No.  
>> $ cat raTime.conf 
>> RA_TIME_FORMAT="%F_%H:%M"
>> 
>> What range does your client show when you use the times that do work?
>>    ra -D5 -t  2009/01/22.00-2009/01/22.23
>> ra[9394.20cc2670ff7f0000]: 16:47:54.678576 ArgusCheckTimeFormat (0x7026e960, 2009/01/22.00-2009/01/22.23) retn 0: 1232492400-1232661600
>> 
>> And how does your system interpret those time ranges?
>> Wed Jan 21 00:00:00 CET 2009 - Thu Jan 22 23:00:00 CET 2009 
>> 
>> My understanding is that the filter "2009/01/22" is checking day 21 in my system while  "2009/01/22.00-2009/01/22.23" include all flows from day 21 until 23h at day 22. Is that correct?
>> 
>> Best regards,
>> Rafael
>> 
>> ps.: In my timezone is 5pm now, so I probably can only reply to a follow up message tomorrow...
>>  
>> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100728/37a9d8ae/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100728/37a9d8ae/attachment.bin>