rasqlinsert data sometimes show negatives values with the flow duration field
Javier Almillategui
jalmilla at gmu.edu
Wed Oct 13 17:00:55 EDT 2010
Hi Carter,
here is the description of one of my tables:
+-------+-----------------------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+-------+-----------------------+------+-----+---------+-------+
| stime | double(18,6) unsigned | NO | PRI | NULL | |
| srcid | varchar(64) | YES | | NULL | |
| flgs | varchar(32) | YES | | NULL | |
| seq | int(10) unsigned | NO | PRI | 0 | |
| ltime | double(18,6) unsigned | NO | | NULL | |
| dur | double(18,6) | NO | | NULL | |
| proto | varchar(16) | NO | | NULL | |
| saddr | varchar(64) | NO | | NULL | |
| sport | varchar(10) | NO | | NULL | |
| dir | varchar(3) | YES | | NULL | |
| daddr | varchar(64) | NO | | NULL | |
| dport | varchar(10) | NO | | NULL | |
| pkts | bigint(20) | YES | | NULL | |
| bytes | bigint(20) | YES | | NULL | |
| state | varchar(32) | YES | | NULL | |
| loss | int(11) | YES | | NULL | |
+-------+-----------------------+------+-----+---------+-------+
16 rows in set (0.05 sec)
I'm running version mysql server version: 5.1.41-3ubuntu12.6 (Ubuntu)
and here is the query to verify the output of the correctness of the data:
select m.dur, m.ltime-m.stime, m.ltime, m.stime from anondb.<RaTableX> m where dur < 0
I have attached the results as csv files
It looks to me that there is bad values in my argus data.
best,
Javier
On Oct 13, 2010, at 4:42 PM, Carter Bullard wrote:
> Hey Javier,
> Check the description of the schema that is created. Here is an example
> of one of my tables;
>
> % mysql
> mysql> desc inode;
> +--------+-----------------------+------+-----+---------+-------+
> | Field | Type | Null | Key | Default | Extra |
> +--------+-----------------------+------+-----+---------+-------+
> | ltime | double(18,6) unsigned | NO | | NULL | |
> | dur | double(18,6) | NO | | NULL | |
> | srcid | varchar(64) | NO | PRI | | |
> | mean | double | YES | | NULL | |
> | inode | varchar(64) | NO | PRI | | |
> | sttl | tinyint(3) unsigned | NO | PRI | 0 | |
> | pkts | bigint(20) | YES | | NULL | |
> | record | blob | YES | | NULL | |
> +--------+-----------------------+------+-----+---------+-------+
> 8 rows in set (0.04 sec)
>
> The dur is a signed double, which is pretty big. Can't imagine that your dur is rolling over.
> The dur is a calculated value (ltime - stime). What is the stime and ltime when
> you see the dur go negative?
>
> Carter
>
> On Oct 13, 2010, at 4:19 PM, Javier Almillategui wrote:
>
>> Hi all,
>>
>> is there a possibility that argus will select the a limited value for the duration field? I'm seeing that the duration data sometimes is a negative value for long lasting flows.
>>
>> I have inserted the data with the following syntax:
>>
>> rasqlinsert -w mysql://argus:123456@localhost/anondb/masontap_test_%Y_%m_%d -r mason_tap_20100521_prepared.argus -s +2seq -s +3ltime -s +4dur -s +loss -s +1srcid -s -record -m none -M time 1d
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20101013/623bfbc3/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: RaTable1.csv
Type: text/csv
Size: 566 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20101013/623bfbc3/attachment.csv>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20101013/623bfbc3/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: RaTable2.csv
Type: text/csv
Size: 458 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20101013/623bfbc3/attachment-0001.csv>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20101013/623bfbc3/attachment-0002.html>
More information about the argus
mailing list