Full docs about ra output?

Matt Brown matthewbrown at gmail.com
Thu May 24 22:33:07 EDT 2012 

Thanks Mark.

I'll grab some stuff out of the DB I populated and reply to this thread.

I'm really focusing on creating a variety of macro views and trying to
figure out how to consider 'dir' in those derived views.

I'm currently focused on the easy stuff as pivot points, source and
destination: bytes, packet count, address and port. But I am interested in
leverage other parts of the DSR as well, if they are useful. (am I using
DSR right?)

I'll spend more time reviewing other threads as well as the NSMwiki, but
any further examples of how people create macro views of the data, versus
considering solely 'dir,' would be appreciated.


Thanks,

Matt


On Thu, May 24, 2012 at 9:39 PM, Mark Poepping <poepping at cmu.edu> wrote:

>  Taking a stab (trying to relieve Carter of some of the burden)…****
>
> ** **
>
> For directionality specifically, if it’s a well-defined protocol and argus
> saw most (if not all) of the packets from the beginning, it will know the
> direction, but there are many examples of ordinary and hybrid protocols
> where you won’t necessarily know the direction in all cases: peer-to-peer,
> ICMP, UDP can all make it hard to understand direction – or direction might
> not have meaning.  Packet loss (esp. packet sampling) often causes this
> output, and multi-path routing will ‘look like’ packet loss too, depending
> on where you’re watching and how your paths are advertised or have evolved
> over time.****
>
> ** **
>
> On a simple, lightly loaded network (my house), long-running argus probes
> generally get the directionality right.****
>
> At my work, it’s not so simple so it helps to interact with questions that
> we have for the data and considerations of probe location and efficiency
> given the use cases.****
>
> ** **
>
> Hope that helps some, it takes a little getting used to.  If you have
> specific questions or confusions, it does help to snap a packet capture
> that displays your confusion – that way others may be work with them
> directly and try to help you (with no explicit promises, of course).****
>
> Mark.****
>
> ** **
>
> ** **
>
> *From:* argus-info-bounces+poepping=cmu.edu at lists.andrew.cmu.edu [mailto:
> argus-info-bounces+poepping=cmu.edu at lists.andrew.cmu.edu] *On Behalf Of *Matt
> Brown
> *Sent:* Thursday, May 24, 2012 9:00 PM
> *To:* argus-info at lists.andrew.cmu.edu
> *Subject:* [ARGUS] Full docs about ra output?****
>
> ** **
>
> Hello,****
>
> I see the man page for ra, but it seems lacking for some DSR value
> output.  For instance, there are somethings that aren't implicit, but
> appear like they should/were intended to be.****
>
> Specifically, I see this with 'dir's possible values.****
>
> The cases if confusion are <? And ?>.  How can argus "not" know the
> direction of the transaction "sort of?"****
>
> Thanks,****
>
> Matt****
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120524/09639ace/attachment.html>

More information about the argus mailing list