Argus giving wrong bytes results ?
Mike Tancsa
mike at sentex.ca
Thu Jun 10 11:11:41 EDT 2010
At 11:08 AM 6/10/2010, Carter Bullard wrote:
>Hey Mike,
>I'll need to get either your argus data file, or a flow-tools like
>netflow file, or the pcap to fix this problem,
>if that is workable for you. Can't seem to replicate it here with
>anything I have.
Hi,
I was just putting it together when your email came in :) I
will send offlist.
---Mike
>Carter
>
>On Jun 8, 2010, at 2:44 PM, Mike Tancsa wrote:
>
> >
> > Actually, I think I found what might be a bug in radium at
> least. Using the lastest dev version (Radium Version 3.0.3.11), I
> get some strange netflow results as compared to radium 3.0.2. The
> packet counts should be 5, not 36028797. I can send pcaps offline
> of the netflow data if you like. Its just from a tiny cisco Frame
> router. Starting up the old version of radium gives the correct
> results. I use the same .conf file for both.
> >
> > 12:28:53.988000
> Ne tcp 192.168.135.81.51857 ->
> 10.10.197.3.9010 5 402 FSPA_
> > 12:28:54.709000
> Ne tcp 192.168.135.81.55318 ->
> 10.10.197.3.9010 5 386 FSPA_
> > 12:28:55.517000
> Ne tcp 192.168.135.81.53690 ->
> 10.10.197.3.9010 5 403 FSPA_
> > 12:28:55.617000
> Ne tcp 192.168.135.81.60303 ->
> 10.10.197.3.9010 5 403 FSPA_
> > 12:28:58.433000
> Ne tcp 192.168.135.81.60752 ->
> 10.10.197.3.9010 5 403 FSPA_
> > 12:28:58.713000
> Ne tcp 192.168.135.81.57136 ->
> 10.10.197.3.9010 5 403 FSPA_
> > 12:29:02.969000
> Ne tcp 192.168.135.81.60152 ->
> 10.10.197.3.9010 5 401 FSPA_
> > 12:29:04.297000
> Ne tcp 192.168.135.81.53716 ->
> 10.10.197.3.9010 36028797 8358962383 FSPA_
> > 12:29:07.231000
> Ne tcp 192.168.135.81.51299 ->
> 10.10.197.3.9010 36028797 8358962383 FSPA_
> > 12:29:15.879000
> Ne tcp 192.168.135.81.58679 ->
> 10.10.197.3.9010 5 401 FSPA_
> > 12:29:17.887000
> Ne tcp 192.168.135.81.50642 ->
> 10.10.197.3.9010 5 403 FSPA_
> > 12:29:19.111000
> Ne tcp 192.168.135.81.55935 ->
> 10.10.197.3.9010 36028797 8358962383 FSPA_
> > 12:29:19.603000
> Ne tcp 192.168.135.81.51737 ->
> 10.10.197.3.9010 36028797 8431019977 FSPA_
> > 12:29:25.389000
> Ne tcp 192.168.135.81.56375 ->
> 10.10.197.3.9010 5 411 FSPA_
> > 12:29:29.993000
> Ne tcp 192.168.135.81.64352 ->
> 10.10.197.3.9010 36028797 8286904789 FSPA_
> > 12:29:30.121000
> Ne tcp 192.168.135.81.53483 ->
> 10.10.197.3.9010 5 403 FSPA_
> > 12:29:41.178000
> Ne tcp 192.168.135.81.51055 ->
> 10.10.197.3.9010 5 386 FSPA_
> > 12:29:46.166000
> Ne tcp 192.168.135.81.52996 ->
> 10.10.197.3.9010 5 386 FSPA_
> > 12:29:46.590000
> Ne tcp 192.168.135.81.65290 ->
> 10.10.197.3.9010 5 401 FSPA_
> > 12:29:48.298000
> Ne tcp 199.212.135.83.54323 ->
> 10.10.197.3.9010 5 387 FSPA_
> > 12:29:50.778000
> Ne tcp 192.168.135.81.53839 ->
> 10.10.197.3.9010 36028797 7926616819 FSPA_
> > 12:29:52.671000
> Ne tcp 192.168.135.81.55540 ->
> 10.10.197.3.9010 36028797 7998674413 FSPA_
> > 12:29:54.507000
> Ne tcp 192.168.135.81.59975 ->
> 10.10.197.3.9010 5 386 FSPA_
> >
> >
> > At 06:33 AM 6/8/2010, carter at qosient.com wrote:
> >> There is a HUGE difference between per transaction flow data and
> interface counters. If you simply print out your Argus data, you
> can see this. ra -r argus.data.file You have to transform the
> bi-directional flow data, that accounts for conversations, into
> RMON style data, that counts ingress and egress packets based on a
> layer 2 address.If you want to compare SNMP interface counters with
> Argus data, you will need to use any aggregator, such as racluster,
> ragator, or rabins, using the "rmon" mode, modifying the flow key
> to track one of the Mac addresses in the records. racluster -m smac
> -M rmon -r argus.data.fileNow the src and dst counters will look
> like interface egress and ingress counters, respectively.ragraph(),
> supports this style of aggregation. ragraph sbytes dbytes -t time
> 5s -m smac -M rmon -r argus.data.fileBUT, you will have to modify
> your argus.conf to enable ARGUS_GENERATE_MAC_DATA so that you have
> layer 2 information in your argus data.Carter
> >>
> >> Sent from my Verizon Wireless BlackBerry
> >> From: Reykjavik hindisvik <hindisvik at gmail.com>
> >> Date: Mon, 7 Jun 2010 12:23:23 +0200
> >> To: <carter at qosient.com>
> >> Cc:
> <argus-info-bounces+carter=qosient.com at lists.andrew.cmu.edu>;
> Argus<argus-info at lists.andrew.cmu.edu>
> >> Subject: Re: [ARGUS] Argus giving wrong bytes results ?
> >> Hello,
> >>
> >> Thank you for your answers. I have tried using sapp_bytes and
> dapp_bytes, the result downloading a file seems to be correct but
> it does not fix my issue : Outbound traffic is not really OK and
> Inbound is absolutely wrong (50Mb instead of 100Mb...)
> >>
> >> What I would like to do is tu use the result of racount -r
> xxx.xxx.xxx.xxx.ra to draw a graph with cacti.
> >> One problem is the ra file will be huge so I'm compelled to
> rotate it every 5 minutes, and I have to tell Cacti it's a Gauge
> data source, not a counter data source.
> >> Has anyone ever tried to do this?
> >> Is there a argus command which will be more appropriated than raccount ?
> >>
> >> Before using Argus I was using SNMP with InOctets and OutOctet,
> and on Linux deveices I was using Iptables+accounting (which was
> giving me a COUNTER type cacti value).
> >>
> >> Here is my agent server conf file :
> >>
> >> ARGUS_FLOW_TYPE="Bidirectional"
> >> ARGUS_FLOW_KEY="CLASSIC_5_TUPLE"
> >> ARGUS_DAEMON=yes
> >> ARGUS_MONITOR_ID=`hostname`
> >> ARGUS_ACCESS_PORT=561
> >> ARGUS_INTERFACE=eth1
> >> ARGUS_SET_PID=yes
> >> ARGUS_PID_PATH="/var/run"
> >> ARGUS_FLOW_STATUS_INTERVAL=0.5
> >> ARGUS_MAR_STATUS_INTERVAL=60
> >> ARGUS_DEBUG_LEVEL=0
> >> ARGUS_GENERATE_RESPONSE_TIME_DATA=no
> >> ARGUS_GENERATE_PACKET_SIZE=no
> >> ARGUS_GENERATE_JITTER_DATA=no
> >> ARGUS_GENERATE_MAC_DATA=no
> >> ARGUS_GENERATE_APPBYTE_METRIC=yes
> >>
> >> Thanx you for your ideas, I'm a bit stuck...
> >>
> >> H.
> >>
> >>
> >> 2010/6/7 <<mailto:carter at qosient.com>carter at qosient.com>
> >> Also, Argus uses a different definition for source and
> destination since Argus works with flow data not interface data,
> and that can cause confusion.
> >>
> >> What are the differences that you are seeing? How are you
> running the client programs?
> >>
> >> Carter
> >>
> >> Sent from my Verizon Wireless BlackBerry
> >>
> >> ----------
> >> From: Reykjavik hindisvik
> <<mailto:hindisvik at gmail.com>hindisvik at gmail.com>
> >> Date: Sun, 6 Jun 2010 09:31:42 +0200
> >> To:
> <<mailto:argus-info at lists.andrew.cmu.edu>argus-info at lists.andrew.cmu.edu>
> >> Subject: [ARGUS] Argus giving wrong bytes results ?
> >>
> >> Hello,
> >>
> >> I would like to use argus to draw graph of bandwidth usage for
> our network. Today, I'm using SNMP which give me a graph of my
> bandwidth, and I've setup Argus which draw the same graph for the
> same Network Interface but does not give me the same results at all...
> >>
> >> I can't believe it's a bug but I bet it's just a different way
> to get the packets and maybe there's an option to get the same
> results as I have with SNMP.
> >>
> >> For example : When I download a 130Mb File, SNMP show me 130MB,
> but Argus show me much more (maybe be it includes size of header or
> something that SNMP don't...) and for me the result in the right.
> >> So my question is :
> >>
> >> 1) What does exactly makes the difference ?
> >> 2) Is there a way to get the same results (option or something...)
> >> 3) Maybe I can recount it after with a math formula to get the
> same results, but which formula ?
> >>
> >> Thanx for your ideas.
> >>
> >> Best regards,
> >>
> >> H.
> >>
> >
> > --------------------------------------------------------------------
> > Mike Tancsa, tel +1 519 651 3400
> > Sentex Communications, mike at sentex.net
> > Providing Internet since 1994 www.sentex.net
> > Cambridge, Ontario Canada www.sentex.net/mike
> >
> >
>
>Carter Bullard
>CEO/President
>QoSient, LLC
>150 E 57th Street Suite 12D
>New York, New York 10022
>
>+1 212 588-9133 Phone
>+1 212 588-9134 Fax
>
>
>
>
More information about the argus
mailing list