rahisto and 'dur'

Carter Bullard carter at qosient.com
Tue Apr 9 11:11:42 EDT 2013 

Hey Jim,
' dur ' is just ( ltime - stime ).  Argus flow status records, by default, have 2 time stamps, the micro or nano second timestamp of the start and last packet seen that belonged to this flow. These are the ' stime ' and ' ltime ' metrics.  Because argus is a bi-directional flow monitor, it can also provide start and last timestamps for packet streams in both directions, if you configure it to do so.  These are the ' sstime ' and ' sltime ' for the start and last timestamps for packets going in the src -> dst direction, and the ' dstime ' and ' dltime ' for packets going in the dst -> src direction.  

With bi-directional time stamps  turned on, you get 3 duration metrics, ' dur ', ' sdur ' and ' ddur '.  These metrics are calculated as:

   dur = ( max(sltime, dltime) - min(sstime,dstime))
  sdur = ( sltime - sstime )
  ddur = ( dltime - dstime )

Argus records are bi-directional flow " status " records, so no primitive record, unmodified right out of argus, should have a duration greater than the ARGUS_FLOW_STATUS_INTERVAL.  If you want the duration of transactions that live longer than the status interval, you need to merge the status records to create transaction records, using racluster().  

For most internet protocols, ARP, DNS, and web browsing, the transaction is shorter than 5 seconds, thats why I use 5 sec for my status interval, and I don't genearally need to cluster the data to get my duration metrics.  There are cases where you want to run argus with a status interval less than 1 second ( argus can do microsecond intervals ) and you do need to really use racluster() like programs to use that type of data for transaction tracking.
 
Racluster(), like argus(), has a lot of protocol knowledge to get the transaction model right.

If you have any questions, don't hesitate to use the list !!!

Hope all is most excellent,

Carter


On Apr 8, 2013, at 8:09 PM, "James A. Robinson" <jimr at highwire.stanford.edu> wrote:

> Hi folks,
> 
> Would someone here be able to point me at the manuals which discuss
> how argus determines 'dur' (record total duration)?  There is an
> interesting looking example in the rahisto manual:
> 
>  % rahisto -H dur 10 -r ˜/argus/data/argus*out.gz - port http
> 
> I'd have assumed that understanding how to compute 'dur' requires
> protocol specific knowledge?
> 
> (I'm curious about measuring client/server request/response times for a
> memcached cluster)
> 
> Jim
> 
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> James A. Robinson                       jimr at highwire.stanford.edu
> HighWire | Stanford University          http://highwire.stanford.edu/
> +1 650 7237294 (Work)                   +1 650 7259335 (Fax)
>

More information about the argus mailing list