Output without Ethernet headers?
Carter Bullard
carter at qosient.com
Wed Oct 26 09:33:48 EDT 2011
You have to configure argus to provide the appbytes, using the argus.conf file.
Carter
On Oct 26, 2011, at 9:05 AM, Ricardo S wrote:
> Hi Carter,
>
> Thanks for replying. I want to have the total bytes transmitted in
> unidirectional flows to calculate the total bandwidth used in a period
> of time. So, I tested the appbytes. I did a small test, with 10
> packets only. The result is composed by 18 flows. My output was:
>
> # ra -r ARGUS-FILE.argus -M rmon -s stime ltime saddr daddr spkts
> sbytes sappbytes
>
> 18:35:01.691172 18:35:01.691318 13.21.18.5 13.21.21.16
> 2 3028 0
> 18:35:01.691172 18:35:01.691318 13.21.21.16 13.21.18.5
> 0 0 0
> 18:35:01.691174 18:35:01.691174 13.21.18.25 20.9.2.23
> 1 1514 0
> 18:35:01.691174 18:35:01.691174 20.9.2.23 13.21.18.25
> 0 0 0
> 18:35:01.691176 18:35:01.691176 13.21.18.8 13.21.23.23
> 1 1514 0
> 18:35:01.691176 18:35:01.691176 13.21.23.23 13.21.18.8
> 0 0 0
> 18:35:01.691177 18:35:01.691177 13.21.3.17 13.21.18.4
> 1 60 0
> 18:35:01.691177 18:35:01.691177 13.21.18.4 13.21.3.17
> 0 0 0
> 18:35:01.691178 18:35:01.691178 1.3.7.20 13.21.18.9
> 1 69 0
> 18:35:01.691178 18:35:01.691178 13.21.18.9 1.3.7.20
> 0 0 0
> 18:35:01.691179 18:35:01.691179 21.1.1.3 13.21.18.19
> 1 1462 0
> 18:35:01.691179 18:35:01.691179 13.21.18.19 21.1.1.3
> 0 0 0
> 18:35:01.691320 18:35:01.691320 13.21.19.11 13.4.17.20
> 1 60 0
> 18:35:01.691320 18:35:01.691320 13.4.17.20 13.21.19.11
> 0 0 0
> 18:35:01.691321 18:35:01.691321 13.21.18.13 13.21.23.16
> 1 1514 0
> 18:35:01.691321 18:35:01.691321 13.21.23.16 13.21.18.13
> 0 0 0
> 18:35:01.691322 18:35:01.691322 13.21.19.14 21.16.10.19
> 1 1514 0
> 18:35:01.691322 18:35:01.691322 21.16.10.19 13.21.19.14
> 0 0 0
>
> Is my ra command wrong? Because, as you can see, my sappbytes column
> is all 0 (zeros).
>
> Thanks and regards,
> Ricardo.
>
>
>
> On Wed, Oct 26, 2011 at 2:06 PM, Carter Bullard <carter at qosient.com> wrote:
>> Hey Ricardo,
>> The idea was that for headers that were of constant size, the data user could subtract the constant from the total bytes to get the answer. For ethernet its, what, 14 bytes per packet. With VLAN headers its 16, PPP i can never remember, but sems like it 4? IPv4 GRE is, what, 8. But they are constant.
>>
>> But for those that are variable length, this doesn't work, so what to do? Didn't seem reasonable to report the sizes of every encapsulation, as that adds a lot of data to the argus record.
>>
>> We decided to provide 2 sets of byte counts, total and transport payload, the "app" bytes. This is what network engineers would use to calculate efficency, (app bytes / total bytes), and when the user bytes don't include retransmissions, the successful app bytes is the metric to use to calculate "goodput".
>>
>> That is our rationale. You can derive metrics like this:
>>
>> ethernetPayload = bytes - (pkts * 14);
>> totalHeaderBytes = bytes - appbytes;
>> networkCost = ( bytes - appbytes ) / bytes;
>> throughPut = bytes / dur; ( load )
>> goodPut = appbytes / dur;
>>
>> What are you going to do with your number?
>>
>> Carter
>>
>> On Oct 26, 2011, at 4:42 AM, Ricardo S <super.ismiti at gmail.com> wrote:
>>
>>> Hello all,
>>>
>>> I have a simple question, but reading the manuals I couldn't figure
>>> out how to solve it. On summing the bytes of a flow, Argus considers
>>> the Ethernet header, right? If so, how could I remove Ethernet header
>>> from the total of bytes? Is there any filter expression that would do
>>> it? I would like to have only the sum of IP headers in the field
>>> "bytes".
>>>
>>> Thanks,
>>> Ricardo.
>>>
>>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4367 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20111026/03c3b859/attachment.bin>
More information about the argus
mailing list