Duration sum bug -- RESOLVED

John Gerth gerth at graphics.stanford.edu
Tue Mar 29 20:12:28 EDT 2011


On 3/29/2011 7:30 AM, Digital Ninja wrote:
> After a week of offline discussion, Carter has helped me better
> understand what was going on.  I wanted to post a summary of the
> findings back to the list.
> 
> First and foremost, I was sorting by local timestamp, which did not
> include the date.  As a result, my transactions (which spanned over a
> 24 hour period) were out of order.  Leveraging the -u field for epoch
> time output would have fixed this.
> 
> Second, what I thought was a "duration bug" was argus behaving as
> designed.  In argus, duration is defined as the difference between the
> start time of the first packet and the end time of the last packet.
> This was the source of the 79k second duration, and is accurate when
> viewed in light of the aforementioned definition.
> 
> Third, the value I was looking for was a sum of individual durations
> for each transaction, which could have been calculated by the
> following formula and existing argus fields: (trans * mean).
> 
> Finally, Carter is working to add this value to the aggregated record
> by default under the field label of "runtime".   I believe he said it
> will be available in 3.0.5.2. (Carter please correct me if I'm wrong).
> 
> Again, thanks to everyone who helped in this.  I learned a great deal
> about argus.
> 
 Dang...too bad that as an addition, the sum of durations can't use "duration" as
 that seems to me a congenial term since in an aggregation the "runtime" represents
 the sum of the active intervals over each flow report.  The current aggregate
 for "duration" is more like a span or timespan since for any connection of
 significant length, it will only be trivially less than the difference of the
 start time of the first report and endtime of the last and says nothing
 about the distribution within the intervening reports.

 However, I understand that backwards compatibility must win and I've tried
 and failed to think of a better word than "runtime".
-- 
John Gerth      gerth at graphics.stanford.edu  Gates 378   (650) 725-3273  fax 723-0033



More information about the argus mailing list