fixes for argus-clients-3.0.4 rapath()

Carter Bullard carter at qosient.com
Fri Mar 18 11:56:35 EDT 2011 

Gentle people,
Argus-3.0.4 has been out for a week, and I already have a few fixes for clients, of course.  If you
have an opinion on how we should provide these changes, whether patch files, or new
sub-releases (argus-clients-3.0.4.1), I am open to whatever.  I'd rather do that than "wait a year" for
each release cycle.

So what are the changes?

In particular, the RTT for a  single packet flow where an ICMP packet is the response,
(type P1-P2 flow) is / was broken.  This is caused by code that fixed input timestamps.  Argus data
is fine, but any processing of the argus data would cause the RTT to go to zero, for these flows.

This is important for rapath(), where you recover topology information from your argus data.

While fixing this problem, I added some new ways of printing out path information in rapath(). 

Here are some examples, reading an hourly file that contained 2 traceroutes from and to the same endpoints: 

% rapath -A -r /tmp/ra.hourly.out 

A -> B -> [C -> D] -> [E -> F -> G -> H -> I -> J -> K] -> [L -> M]

 Node            SrcAddr   Dir            DstAddr              Inode sTtl       Mean     StdDev        Max        Min  Trans 
  A         192.168.0.68    ->        128.2.42.10        192.168.0.1    1   0.000706   0.000055   0.000806   0.000625      6
  B         192.168.0.68    ->        128.2.42.10         10.22.96.1    2   0.008560   0.001136   0.009946   0.006942      6
  C         192.168.0.68    ->        128.2.42.10       208.59.246.1    3   0.009302   0.002173   0.013861   0.007692      6
  D         192.168.0.68    ->        128.2.42.10      207.172.15.92    4   0.010273   0.004480   0.020175   0.007444      6
  E         192.168.0.68    ->        128.2.42.10         4.71.190.9    5   0.008902   0.001298   0.011437   0.007695      6
  F         192.168.0.68    ->        128.2.42.10       4.69.138.222    6   0.010983   0.005946   0.024175   0.007698      6
  G         192.168.0.68    ->        128.2.42.10        4.69.132.89    7   0.014322   0.000833   0.015722   0.013444      6
  H         192.168.0.68    ->        128.2.42.10       4.69.134.144    8   0.014387   0.000872   0.016197   0.013621      6
  I         192.168.0.68    ->        128.2.42.10       4.69.134.128    9   0.014108   0.000512   0.015189   0.013686      6
  J         192.168.0.68    ->        128.2.42.10       4.69.135.241   10   0.024223   0.009878   0.046167   0.018183      6
  K         192.168.0.68    ->        128.2.42.10        4.49.108.46   11   0.020230   0.000223   0.020685   0.019940      6
  L         192.168.0.68    ->        128.2.42.10      128.2.255.249   12   0.023140   0.001388   0.025183   0.021183      6
  M         192.168.0.68    ->        128.2.42.10      128.2.255.192   13   0.025930   0.009400   0.046921   0.020682      6

I fixed the "-A" option that prints out the path diagram, and added some new modes, and updated the man page.
We now have path specific modes,  'node', 'asnode', 'aspath' and 'dist'.  These add additional information to the
path diagram output.  The default is 'node'.  Use the "-q" option to not print the per hop flow data:

% rapath -A -qr /tmp/ra.hourly.out 
A -> B -> [C -> D] -> [E -> F -> G -> H -> I -> J -> K] -> [L -> M]

In this situation, the brackets indicate nodes that are in the same origin AS.  This information is provided by the GeoIP databases.

% rapath -A -qr /tmp/ra.hourly.out -M addr
192.168.0.1 -> 10.22.96.1 -> [208.59.246.1 -> 207.172.15.92] -> [4.71.190.9 -> 4.69.138.222 -> 4.69.132.89 -> 4.69.134.144 -> 4.69.134.128 -> 4.69.135.241 -> 4.49.108.46] -> [128.2.255.249 -> 128.2.255.192]

% rapath -A -qr /tmp/ra.hourly.out -M aspath
A -> B -> AS6079 -> AS3356 -> AS9

% rapath -A -qr /tmp/ra.hourly.out -M aspath dist
A:1 -> B:2 -> AS6079:3-4 -> AS3356:5-11 -> AS9:12-13 

% rapath -A -qr /tmp/ra.hourly.out -M aspath addr dist
192.168.0.1:1 -> 10.22.96.1:2 -> AS6079:3-4 -> AS3356:5-11 -> AS9:12-13 

% rapath -A -qr /tmp/ra.hourly.out -M asnode
A -> B -> AS6079:[C -> D] -> AS3356:[E -> F -> G -> H -> I -> J -> K] -> AS9:[L -> M]

% rapath -A -qr /tmp/ra.hourly.out -M asnode addr dist
192.168.0.1 -> 10.22.96.1 -> AS6079:[208.59.246.1 -> 207.172.15.92] -> AS3356:[4.71.190.9 -> 4.69.138.222 -> 4.69.132.89 -> 4.69.134.144 -> 4.69.134.128 -> 4.69.135.241 -> 4.49.108.46] -> AS9:[128.2.255.249 -> 128.2.255.192]

Any suggestions on how to distribute the changes is most welcome.
Hopefully this is useful, and thanks for all the support !!!!

Carter


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20110318/8ca5fefe/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20110318/8ca5fefe/attachment.bin>

More information about the argus mailing list