Duration sum bug
Rafael Barbosa
rrbarbosa at gmail.com
Mon Mar 21 11:05:06 EDT 2011
racluster(), by default, aggregates all records with the same 5-tuple in a
single one. The resulting record has the start time of the first record and
the end time of the last one.
In your example the duration should be the end time of the last record (the
one with 96 bytes) minus the start time of the first one (with 213 bytes).
However without the files you are using is hard to say for sure.
Best regards,
Rafael Barbosa
http://www.vf.utwente.nl/~barbosarr/
On Mon, Mar 21, 2011 at 3:34 PM, Digital Ninja <dn1nj4 at gmail.com> wrote:
> I ran across something with racluster v3.0.2 & v3.0.4 that I can't
> quite explain and need some help. I have 9 different argus files. I
> am running racluster with the following options:
>
> racluster -M rmon -nn -c "," -m saddr proto sport -r <file> -L0 -s
> saddr proto sport sbytes dur dbytes - not arp
>
> When I run this command on the 9 files separately, for a single IP I
> get something like this:
>
> 1.2.3.4,17,53,289,0.47648,213
> 1.2.3.4,17,53,133,0.015667,117
> 1.2.3.4,17,53,133,0.014637,117
> 1.2.3.4,17,53,133,0.014608,117
> 1.2.3.4,17,53,133,0.015812,117
> 1.2.3.4,17,53,133,0.015056,117
> 1.2.3.4,17,53,133,0.015539,117
> 1.2.3.4,17,53,133,0.015089,117
> 1.2.3.4,17,53,133,0.015287,96
>
> Summing the bytes and duration columns up, I would expect the totals to be:
> 1.2.3.4,17,53,1376,0.169343,1128
>
> However, when I run racluster on all 9 files simultaneously (-r <file>
> <file> <file>...etc) I get the following results for the above data:
> 1.2.3.4,17,53,1376,79215.023438,1128
>
> What's going on with the duration field??
>
> Thanks in advance.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20110321/c5778ae8/attachment.html>
More information about the argus
mailing list