Full docs about ra output?
Carter Bullard
carter at qosient.com
Sat May 26 13:57:02 EDT 2012
Hey Matt,
Sorry for the really delayed response, I've been traveling, and still am.
I'll send a detailed response after Monday, but Mark is on the right track.
The '?' means we don't know the originator, and the arrows will indicate
the direction of traffic relative to that symbol.
Carter
On May 25, 2012, at 6:31 PM, Matt Brown wrote:
> Here is a pastebin of some of the records I am talking about:
> http://pastebin.com/c12KvNjk
>
> I'm guessing, from your reply, that <? and ?> mean "I tried, some things tell me that it goes in this direction, but I'm not 52-100% sure?" Or is that 52 a 99?
>
> This is skype traffic for sure.
>
> Thanks for your assistance, Mark.
>
>
> -Matt
>
>
> On Thu, May 24, 2012 at 10:33 PM, Matt Brown <matthewbrown at gmail.com> wrote:
> Thanks Mark.
>
> I'll grab some stuff out of the DB I populated and reply to this thread.
>
> I'm really focusing on creating a variety of macro views and trying to figure out how to consider 'dir' in those derived views.
>
> I'm currently focused on the easy stuff as pivot points, source and destination: bytes, packet count, address and port. But I am interested in leverage other parts of the DSR as well, if they are useful. (am I using DSR right?)
>
> I'll spend more time reviewing other threads as well as the NSMwiki, but any further examples of how people create macro views of the data, versus considering solely 'dir,' would be appreciated.
>
>
> Thanks,
>
> Matt
>
>
>
> On Thu, May 24, 2012 at 9:39 PM, Mark Poepping <poepping at cmu.edu> wrote:
> Taking a stab (trying to relieve Carter of some of the burden)…
>
>
>
> For directionality specifically, if it’s a well-defined protocol and argus saw most (if not all) of the packets from the beginning, it will know the direction, but there are many examples of ordinary and hybrid protocols where you won’t necessarily know the direction in all cases: peer-to-peer, ICMP, UDP can all make it hard to understand direction – or direction might not have meaning. Packet loss (esp. packet sampling) often causes this output, and multi-path routing will ‘look like’ packet loss too, depending on where you’re watching and how your paths are advertised or have evolved over time.
>
>
>
> On a simple, lightly loaded network (my house), long-running argus probes generally get the directionality right.
>
> At my work, it’s not so simple so it helps to interact with questions that we have for the data and considerations of probe location and efficiency given the use cases.
>
>
>
> Hope that helps some, it takes a little getting used to. If you have specific questions or confusions, it does help to snap a packet capture that displays your confusion – that way others may be work with them directly and try to help you (with no explicit promises, of course).
>
> Mark.
>
>
>
>
>
> From: argus-info-bounces+poepping=cmu.edu at lists.andrew.cmu.edu [mailto:argus-info-bounces+poepping=cmu.edu at lists.andrew.cmu.edu] On Behalf Of Matt Brown
> Sent: Thursday, May 24, 2012 9:00 PM
> To: argus-info at lists.andrew.cmu.edu
> Subject: [ARGUS] Full docs about ra output?
>
>
>
> Hello,
>
> I see the man page for ra, but it seems lacking for some DSR value output. For instance, there are somethings that aren't implicit, but appear like they should/were intended to be.
>
> Specifically, I see this with 'dir's possible values.
>
> The cases if confusion are <? And ?>. How can argus "not" know the direction of the transaction "sort of?"
>
> Thanks,
>
> Matt
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120526/1bcdf7fb/attachment.html>
More information about the argus
mailing list