ragraph load or bytes to compute bandwidth

Carter Bullard carter at qosient.com
Sat Jul 21 14:49:21 EDT 2012 

Hey Jean-marc,
Load is bits / sec, so its ((sbytes * 8) / dur) or ((dbytes * 8)  / dur) or ((bytes * 8) / dur) for sload, dload and load respectively.
When a status record only has one (1) packet, there won't  be a duration, so the load is zero, but when you
aggregate the records, then presumably you'll get durations.

To validate the values, print out the sbytes, dbytes, and dur, when you print the aggregated values and compare that with the sload and dload values.
Rate is basically packets / sec, and the same principles apply.

You can run rabins() with some of the parameters you're passing to see what the values should / could be:
   rabins -s stime proto dport dur sbytes sload dbytes dload -m proto dport -M 1s -r files....  - filter

If you want to see where the graph has zero, add " -M zero " so that rabins will generate data when there are no flows.
Hope this helps !!!!

Carter

On Jul 20, 2012, at 7:04 PM, jeanmarc pouchoulon wrote:

> hi argus list,
> 
> I try to get cumulate network bandwidth for all protocols connected to mail using
> 
> ragraph dload sload dport  -m proto dport -M 1s -r ./argus_08\:00\:00.gz -r ./argus_09\:00\:00.gz   -w ./mess_2012_01_03_08_a10h_dload_sload_dport.png -  dst port 110 or  dst port 995 or  ....
> and
> ragraph dbytes sbytes dport  -m proto dport -M 1s -r ./argus_08\:00\:00.gz -r ./argus_09\:00\:00.gz   -w ./mess_2012_01_03_08_a10h_dload_sload_dport.png -  port 110 or  dst port 995 or dst   port 587 or ...
> 
> Resulting graphs differ.
> Can I use sload/dload with ragraph to compute cumulative bandwidth?
> 
> I try but I don't understand how load is aggregating with racluster.
> 
> On a single flow , I am not able to understand how is computed load.
> 
>     StartTime      Flgs  Proto sCo            SrcAddr  Sport   Dir dCo            DstAddr  Dport  TotPkts   TotBytes State   Load
> 08:07:10.148000 Ne           tcp  TN          197.0.1.1.32024     ->  US          100.0.1.1.smtp         16      12895   ACC  4868.12*
> 08:07:49.084000 Ne           tcp  TN          197.0.1.1.32024     ?>  US          100.0.1.1.smtp          1       1350   CON  0.000000
> 08:08:27.226000 Ne           tcp  TN          197.0.1.1.32024     ?>  US          100.0.1.1.smtp          1       1350   CON  0.000000
> 08:09:11.309000 Ne           tcp  TN          197.0.1.1.32024 <?   US          100.0.1.1.smtp          2        185   FIN  0.000000
> 08:09:11.345000 Ne           tcp  TN          197.0.1.1.32024     ?>  US          100.0.1.1.smtp          1         52   CON  0.000000
> 
> aggregating by dport :
> 
> StartTime      Flgs            Proto sCo       SrcAddr  Sport          Dir dCo            DstAddr        Dport  TotPkts   TotBytes State          SrcLoad  DstLoad        Dur             RunTime
> 08:07:10.148000 Ne           tcp  TN          197.0.1.1.41520     ->  US                 100.0.1.1.smtp         21      15832   FIN      1032.830811 12.2115* 121.196999  19.868000
> 
> 
> thanks for your insight
> 
> jean-marc
> 
> 
> 
> 
> 
> 
> 
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2589 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120721/f08930ea/attachment.bin>

More information about the argus mailing list