Argus giving wrong bytes results ?

Peter Van Epp vanepp at sfu.ca
Mon Jun 7 21:15:54 EDT 2010 

On Mon, Jun 07, 2010 at 12:23:23PM +0200, Reykjavik hindisvik wrote:
> Hello,
> 
> Thank you for your answers. I have tried using sapp_bytes and dapp_bytes,
> the result downloading a file seems to be correct but it does not fix my
> issue : Outbound traffic is not really OK and Inbound is absolutely wrong
> (50Mb instead of 100Mb...)
> 
> What I would like to do is tu use the result of racount -r
> xxx.xxx.xxx.xxx.ra to draw a graph with cacti.
> One problem is the ra file will be huge so I'm compelled to rotate it every
> 5 minutes, and I have to tell Cacti it's a Gauge data source, not a counter
> data source.
> Has anyone ever tried to do this?
> Is there a argus command which will be more appropriated than raccount ?
> 
> Before using Argus I was using SNMP with InOctets and OutOctet, and on Linux
> deveices I was using Iptables+accounting (which was giving me a COUNTER type
> cacti value).
> 
<snip>
	My bad :-) I should have realized you were likely using snmp interface
counters and thus would run in to the different flow model problem. I'm
likely not the one to point you at the corret client (as I rarely use anything
but ra) but you likely want one of the aggregators probably raplot which I 
think will generate rdd data (which in turn is what cacti likes to plot). 
Thw problem as Carter mentioned is that argus sets source and destination by
who sent the syn not the interface. That means to get the data that you want
you need to generate rmon data (which generates twice the traffic, once for
each direction as the source) and then filter that based on either the 
gateway MAC address of the local router (if you have moltiple hosts behind it
this is likely the only one that will work) or the MAC of the destination 
host so that you get data that is tied to the physical interface so the 
directions are correct. As well by default (which you may have already 
discovered) the counts are src+dst although the -s option can be used to 
break them out to individual counts. I expect that given the explaination
of what you want to do Carter will reel off a command line that will do it 
for you :-). 
	As well you can capture the data that argus is seeing using tcpdump
to a file and then feed that through argus via argus -r file.pcap so you 
can see what the argus output looks like for a given input and thus whether
it is correct or not. 

Peter Van Epp

More information about the argus mailing list