Full docs about ra output?

Fri May 25 18:31:24 EDT 2012

Here is a pastebin of some of the records I am talking about:
http://pastebin.com/c12KvNjk

I'm guessing, from your reply, that <? and ?> mean "I tried, some things
tell me that it goes in this direction, but I'm not 52-100% sure?"  Or is
that 52 a 99?

This is skype traffic for sure.

Thanks for your assistance, Mark.

-Matt

On Thu, May 24, 2012 at 10:33 PM, Matt Brown <matthewbrown at gmail.com> wrote:

> Thanks Mark.
>
> I'll grab some stuff out of the DB I populated and reply to this thread.
>
> I'm really focusing on creating a variety of macro views and trying to
> figure out how to consider 'dir' in those derived views.
>
> I'm currently focused on the easy stuff as pivot points, source and
> destination: bytes, packet count, address and port. But I am interested in
> leverage other parts of the DSR as well, if they are useful. (am I using
> DSR right?)
>
> I'll spend more time reviewing other threads as well as the NSMwiki, but
> any further examples of how people create macro views of the data, versus
> considering solely 'dir,' would be appreciated.
>
>
> Thanks,
>
> Matt
>
>
>
> On Thu, May 24, 2012 at 9:39 PM, Mark Poepping <poepping at cmu.edu> wrote:
>
>>  Taking a stab (trying to relieve Carter of some of the burden)…****
>>
>> ** **
>>
>> For directionality specifically, if it’s a well-defined protocol and
>> argus saw most (if not all) of the packets from the beginning, it will know
>> the direction, but there are many examples of ordinary and hybrid protocols
>> where you won’t necessarily know the direction in all cases: peer-to-peer,
>> ICMP, UDP can all make it hard to understand direction – or direction might
>> not have meaning.  Packet loss (esp. packet sampling) often causes this
>> output, and multi-path routing will ‘look like’ packet loss too, depending
>> on where you’re watching and how your paths are advertised or have evolved
>> over time.****
>>
>> ** **
>>
>> On a simple, lightly loaded network (my house), long-running argus probes
>> generally get the directionality right.****
>>
>> At my work, it’s not so simple so it helps to interact with questions
>> that we have for the data and considerations of probe location and
>> efficiency given the use cases.****
>>
>> ** **
>>
>> Hope that helps some, it takes a little getting used to.  If you have
>> specific questions or confusions, it does help to snap a packet capture
>> that displays your confusion – that way others may be work with them
>> directly and try to help you (with no explicit promises, of course).****
>>
>> Mark.****
>>
>> ** **
>>
>> ** **
>>
>> *From:* argus-info-bounces+poepping=cmu.edu at lists.andrew.cmu.edu [mailto:
>> argus-info-bounces+poepping=cmu.edu at lists.andrew.cmu.edu] *On Behalf Of *Matt
>> Brown
>> *Sent:* Thursday, May 24, 2012 9:00 PM
>> *To:* argus-info at lists.andrew.cmu.edu
>> *Subject:* [ARGUS] Full docs about ra output?****
>>
>> ** **
>>
>> Hello,****
>>
>> I see the man page for ra, but it seems lacking for some DSR value
>> output.  For instance, there are somethings that aren't implicit, but
>> appear like they should/were intended to be.****
>>
>> Specifically, I see this with 'dir's possible values.****
>>
>> The cases if confusion are <? And ?>.  How can argus "not" know the
>> direction of the transaction "sort of?"****
>>
>> Thanks,****
>>
>> Matt****
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120525/974211ae/attachment.html>