rahisto and 'dur'
James A. Robinson
jimr at highwire.stanford.edu
Wed Apr 10 15:00:44 EDT 2013
On Wed, Apr 10, 2013 at 11:43 AM, Carter Bullard <carter at qosient.com> wrote:
> When you don't provide rahisto() with the range of the data for the
> histogram, rahisto() has to take 2 passes on the data, the first to
> determine the range, and the second to do the bin aggregations.
>
> If you pipe the data into rahisto(), it won't be able to read the
> data twice. It will try, and find that the file descriptor has
> already closed, and it will think there wasn't any data.
>
> So, you shouldn't pipe data into rahisto() without providing a range
> for the histogram.....
>
> Use default settings for racluster(). Do you get anything with this?
>
> racluster -r /var/log/radium/radium.out.?.gz -w - - syn and synack | rahisto -H dur 25:0-100
Yes, that works. Thank you for explaining the problem.
> If you want to know if there were " outlayers ", add a "-M
> outlayers" and you may get an additional row or two of data for the
> counts outside the range.
>
> I changed your filter, because RST is used by Microsoft stacks to
> close normal connections. I thought you were filtering to avoid
> rejected connections?
Oh, that was left over from my messing around with racluster
reporting, yes I noticed racluster reporting seemed to indicate
connections that were started but that never got to the FIN state, and
was trying to see about removing those from the report.
Thank you again, this has been very helpful.
Jim
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
James A. Robinson jimr at highwire.stanford.edu
HighWire | Stanford University http://highwire.stanford.edu/
+1 650 7237294 (Work) +1 650 7259335 (Fax)
More information about the argus
mailing list