Duration sum bug

Carter Bullard carter at qosient.com
Mon Mar 21 13:26:51 EDT 2011 

Sorry, hit the send key a little early and there was a missing '-'.  
If the prior run looks reasonable, then take that output and cluster it without any 
flow id keys:

   racluster -m srcid -r files -s stime ltime dur trans mean saddr dir daddr spkts dpkts - host 1.2.3.4

That should give you something that is also reasonable?
Carter

On Mar 21, 2011, at 1:19 PM, Carter Bullard wrote:

> Hmmm, it doesn't look like you have any bugs getting in your way,
> so you should be able to do what you want.  So what does this generate?
> 
>   racluster -r files -s stime ltime dur trans mean saddr dir daddr spkts dpkts  host 1.2.3.4
> 
> Do these numbers look reasonable?
> Carter
> 
> On Mar 21, 2011, at 12:56 PM, Digital Ninja wrote:
> 
>> Ok, so going back to what Rafael said about the 5-tuple aggregation...
>> When I run ra against the files with the following flags:
>> 
>> ra -nn -c "," -r <file> <file> <file> ... -L0 -s stime proto saddr dir
>> daddr dur sport dport - host 1.2.3.4
>> 
>> I get the following:
>> 
>> 03:57:23.529664,17,5.6.7.5,<->,1.2.3.4,0.014637,30416,53
>> 09:57:27.624699,17,5.6.7.5,<->,1.2.3.4,0.014608,29294,53
>> 12:57:29.660667,17,5.6.7.5,<->,1.2.3.4,0.015812,49771,53
>> 13:57:30.339190,17,5.6.7.5,<->,1.2.3.4,0.015056,6923,53
>> 14:57:31.030846,17,5.6.7.5,<->,1.2.3.4,0.015539,31211,53
>> 16:57:32.385680,17,5.6.7.5,<->,1.2.3.4,0.015089,14851,53
>> 18:57:33.772816,17,5.6.7.5,<->,1.2.3.4,0.015287,1052,53
>> 20:57:18:761336,17,5.6.7.5,<->,1.2.3.4,0.015414,6004,53
>> 20:57:18:793793,17,5.6.7.5,<->,1.2.3.4,0.015191,31141,53
>> 23:57:20.806478,17,5.6.7.5,<->,1.2.3.4,0.015667,30562,53
>> 
>> Eyeballing the total time from beginning to end looks to be ~20 hours,
>> with each connection actually lasting < .02 seconds.  The 72k seconds
>> from the racluster works out to about 22 hours, which would make sense
>> if there were overlaps in connection time, but there aren't.  What am
>> I missing here? Is there a way to get the aggregated results I
>> expected (in the original email) from racluster without summing them
>> external to argus?
>> 
>> Can it then be assumed then, based on my racluster flags, racluster is
>> aggregating all sessions for the 1.2.3.4 IP based on the 5-tuple of
>> 1.2.3.4:53 -> 0.0.0.0:0?
>> 
>> Thanks for all your help!
>> 
>> On Mon, Mar 21, 2011 at 11:05 AM, Rafael Barbosa <rrbarbosa at gmail.com> wrote:
>>> racluster(), by default, aggregates all records with the same 5-tuple in a
>>> single one. The resulting record has the start time of the first record and
>>> the end time of the last one.
>>> In your example the duration should be the end time of the last record (the
>>> one with 96 bytes) minus the start time of the first one (with 213 bytes).
>>> However without the files you are using is hard to say for sure.
>>> Best regards,
>>> Rafael Barbosa
>>> http://www.vf.utwente.nl/~barbosarr/
>>> 
>>> 
>>> On Mon, Mar 21, 2011 at 3:34 PM, Digital Ninja <dn1nj4 at gmail.com> wrote:
>>>> 
>>>> I ran across something with racluster v3.0.2 & v3.0.4 that I can't
>>>> quite explain and need some help.  I have 9 different argus files.  I
>>>> am running racluster with the following options:
>>>> 
>>>> racluster -M rmon -nn -c "," -m saddr proto sport -r <file> -L0 -s
>>>> saddr proto sport sbytes dur dbytes - not arp
>>>> 
>>>> When I run this command on the 9 files separately, for a single IP I
>>>> get something like this:
>>>> 
>>>> 1.2.3.4,17,53,289,0.47648,213
>>>> 1.2.3.4,17,53,133,0.015667,117
>>>> 1.2.3.4,17,53,133,0.014637,117
>>>> 1.2.3.4,17,53,133,0.014608,117
>>>> 1.2.3.4,17,53,133,0.015812,117
>>>> 1.2.3.4,17,53,133,0.015056,117
>>>> 1.2.3.4,17,53,133,0.015539,117
>>>> 1.2.3.4,17,53,133,0.015089,117
>>>> 1.2.3.4,17,53,133,0.015287,96
>>>> 
>>>> Summing the bytes and duration columns up, I would expect the totals to
>>>> be:
>>>> 1.2.3.4,17,53,1376,0.169343,1128
>>>> 
>>>> However, when I run racluster on all 9 files simultaneously (-r <file>
>>>> <file> <file>...etc) I get the following results for the above data:
>>>> 1.2.3.4,17,53,1376,79215.023438,1128
>>>> 
>>>> What's going on with the duration field??
>>>> 
>>>> Thanks in advance.
>>> 
>>> 
>> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20110321/013284c8/attachment.bin>

More information about the argus mailing list