Argus giving wrong bytes results ?

carter at qosient.com carter at qosient.com
Tue Jun 8 06:33:46 EDT 2010 

There is a HUGE difference between per transaction flow data and interface counters.  If you simply print out your Argus data, you can see this.

   ra -r argus.data.file 

You have to transform the bi-directional flow data, that accounts for conversations, into RMON style data, that counts ingress and egress packets based on a layer 2 address.

If you want to compare SNMP interface counters with Argus data, you will need to use any aggregator, such as racluster, ragator, or rabins, using the "rmon" mode, modifying the flow key to track one of the Mac addresses in the records.

   racluster -m smac -M rmon -r argus.data.file

Now the src and dst counters will look like interface egress and ingress counters, respectively.

ragraph(), supports this style of aggregation.

   ragraph sbytes dbytes -t time 5s -m smac -M rmon -r argus.data.file

BUT, you will have to modify your argus.conf to enable ARGUS_GENERATE_MAC_DATA so that you have layer 2 information in your argus data.

Carter 



Sent from my Verizon Wireless BlackBerry

-----Original Message-----
From: Reykjavik hindisvik <hindisvik at gmail.com>
Date: Mon, 7 Jun 2010 12:23:23 
To: <carter at qosient.com>
Cc: <argus-info-bounces+carter=qosient.com at lists.andrew.cmu.edu>; Argus<argus-info at lists.andrew.cmu.edu>
Subject: Re: [ARGUS] Argus giving wrong bytes results ?

Hello,

Thank you for your answers. I have tried using sapp_bytes and dapp_bytes,
the result downloading a file seems to be correct but it does not fix my
issue : Outbound traffic is not really OK and Inbound is absolutely wrong
(50Mb instead of 100Mb...)

What I would like to do is tu use the result of racount -r
xxx.xxx.xxx.xxx.ra to draw a graph with cacti.
One problem is the ra file will be huge so I'm compelled to rotate it every
5 minutes, and I have to tell Cacti it's a Gauge data source, not a counter
data source.
Has anyone ever tried to do this?
Is there a argus command which will be more appropriated than raccount ?

Before using Argus I was using SNMP with InOctets and OutOctet, and on Linux
deveices I was using Iptables+accounting (which was giving me a COUNTER type
cacti value).

Here is my agent server conf file :

ARGUS_FLOW_TYPE="Bidirectional"
ARGUS_FLOW_KEY="CLASSIC_5_TUPLE"
ARGUS_DAEMON=yes
ARGUS_MONITOR_ID=`hostname`
ARGUS_ACCESS_PORT=561
ARGUS_INTERFACE=eth1
ARGUS_SET_PID=yes
ARGUS_PID_PATH="/var/run"
ARGUS_FLOW_STATUS_INTERVAL=0.5
ARGUS_MAR_STATUS_INTERVAL=60
ARGUS_DEBUG_LEVEL=0
ARGUS_GENERATE_RESPONSE_TIME_DATA=no
ARGUS_GENERATE_PACKET_SIZE=no
ARGUS_GENERATE_JITTER_DATA=no
ARGUS_GENERATE_MAC_DATA=no
ARGUS_GENERATE_APPBYTE_METRIC=yes

Thanx you for your ideas, I'm a bit stuck...

H.


2010/6/7 <carter at qosient.com>

> Also, Argus uses a different definition for source and destination since
> Argus works with flow data not interface data, and that can cause confusion.
>
> What are the differences that you are seeing? How are you running the
> client programs?
>
> Carter
>
> Sent from my Verizon Wireless BlackBerry
> ------------------------------
> *From: * Reykjavik hindisvik <hindisvik at gmail.com>
> *Date: *Sun, 6 Jun 2010 09:31:42 +0200
> *To: *<argus-info at lists.andrew.cmu.edu>
> *Subject: *[ARGUS] Argus giving wrong bytes results ?
>
> Hello,
>
> I would like to use argus to draw graph of bandwidth usage for our network.
> Today, I'm using SNMP which give me a graph of my bandwidth, and I've setup
> Argus which draw the same graph for the same Network Interface but does not
> give me the same results at all...
>
> I can't believe it's a bug but I bet it's just a different way to get the
> packets and maybe there's an option to get the same results as I have with
> SNMP.
>
> For example : When I download a 130Mb File, SNMP show me 130MB, but Argus
> show me much more (maybe be it includes size of header or something that
> SNMP don't...) and for me the result in the right.
> So my question is :
>
> 1) What does exactly makes the difference ?
> 2) Is there a way to get the same results (option or something...)
> 3) Maybe I can recount it after with a math formula to get the same
> results, but which formula ?
>
> Thanx for your ideas.
>
> Best regards,
>
> H.
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100608/e551238d/attachment.html>

More information about the argus mailing list