Output without Ethernet headers?
Carter Bullard
carter at qosient.com
Wed Oct 26 08:06:39 EDT 2011
Hey Ricardo,
The idea was that for headers that were of constant size, the data user could subtract the constant from the total bytes to get the answer. For ethernet its, what, 14 bytes per packet. With VLAN headers its 16, PPP i can never remember, but sems like it 4? IPv4 GRE is, what, 8. But they are constant.
But for those that are variable length, this doesn't work, so what to do? Didn't seem reasonable to report the sizes of every encapsulation, as that adds a lot of data to the argus record.
We decided to provide 2 sets of byte counts, total and transport payload, the "app" bytes. This is what network engineers would use to calculate efficency, (app bytes / total bytes), and when the user bytes don't include retransmissions, the successful app bytes is the metric to use to calculate "goodput".
That is our rationale. You can derive metrics like this:
ethernetPayload = bytes - (pkts * 14);
totalHeaderBytes = bytes - appbytes;
networkCost = ( bytes - appbytes ) / bytes;
throughPut = bytes / dur; ( load )
goodPut = appbytes / dur;
What are you going to do with your number?
Carter
On Oct 26, 2011, at 4:42 AM, Ricardo S <super.ismiti at gmail.com> wrote:
> Hello all,
>
> I have a simple question, but reading the manuals I couldn't figure
> out how to solve it. On summing the bytes of a flow, Argus considers
> the Ethernet header, right? If so, how could I remove Ethernet header
> from the total of bytes? Is there any filter expression that would do
> it? I would like to have only the sum of IP headers in the field
> "bytes".
>
> Thanks,
> Ricardo.
>
More information about the argus
mailing list