Argus giving wrong bytes results ?

Peter Van Epp vanepp at sfu.ca
Sun Jun 6 14:50:36 EDT 2010 

On Sun, Jun 06, 2010 at 09:31:42AM +0200, Reykjavik hindisvik wrote:
> Hello,
> 
> I would like to use argus to draw graph of bandwidth usage for our network.
> Today, I'm using SNMP which give me a graph of my bandwidth, and I've setup
> Argus which draw the same graph for the same Network Interface but does not
> give me the same results at all...
> 
> I can't believe it's a bug but I bet it's just a different way to get the
> packets and maybe there's an option to get the same results as I have with
> SNMP.
> 
> For example : When I download a 130Mb File, SNMP show me 130MB, but Argus
> show me much more (maybe be it includes size of header or something that
> SNMP don't...) and for me the result in the right.
> So my question is :
> 
> 1) What does exactly makes the difference ?

	Without knowing what the SNMP is reading we can't be sure, but by 
default argus will display traffic on the wire including headers and 
tcp retransmissions. That actually gives you a better idea of the actual
traffic on your network than just good put, but good put is available if 
desired.

> 2) Is there a way to get the same results (option or something...)

	Assuming SNMP is only displaying application bytes and you are using
ra to get the counts, then the option -s +appbytes 
(or -s +sappbytes -s +dappbytes if you want both ways rather than a total)
will give you only the application bytes supressing headers and retransmitted
packets (although as noted this gives you a distorted picture of the actual
busyness of your network). If you are using one of the aggregators you should
be able to choose appbytes as the aggregation field. You may need to put a 
field length on the output if the counts are large (the ra man page has 
details). 

> 3) Maybe I can recount it after with a math formula to get the same results,
> but which formula ?

	You can but its somewhat difficult in that you need to know the 
header sizes and retransmit rate. It wiil be much easier and probably more
accurate to use appbytes though. 
> 
> Thanx for your ideas.
> 
> Best regards,
> 
> H.

Peter Van Epp

More information about the argus mailing list