ABRatio question

Carter Bullard carter at qosient.com
Thu Jun 6 17:35:15 EDT 2013 

Hey Craig,
Great questions.  Every node in a network is both a producer and a consumer, so
which flows should be used in defining the base character of a node, becomes important.
You should be able to say that this clients is a consumer of this service, and a producer
on this service.  Deviations would be at the service level, rather than the node level,
so for every node, you may have 5-20 producer/consumer relations to track.

However,  your example is the exact example that this metric is designed to identify.
Its normally a consumer, with a bunch of small flows, but there was this one flow where
it produced a lot of traffic.  That single flow is the trigger for investigating whether
this node has been transformed, and the measure would have been a deviation of
the abr from -1.0.

So, i would say, what is the character of the node on this service?  When your DNS
client becomes a DNS producer, that is a real problem.  When your HTTP client,
starts uploading data to remote web servers, and thus, is an HTTP producer, and
when the printer becomes a data producer to Japan, over some unknown port,
that is when the metric becomes unambiguously useful.

So a node is normally -0.89750 for HTTP, but this single transaction has the
HTTP abr as 0.457282.  That should be significant.  It is the outlayer, and doesn't
get calculated into the value.

Carter

On Jun 6, 2013, at 5:11 PM, Craig Merchant <cmerchant at responsys.com> wrote:

> Carter,
>  
> I’ve been playing around a bit with the ABRatio field.  In trying to figure out the best way to identify if a host is a consumer or producer across all flows.  If a host has a single high-volume flow where it is a producer and a bunch of small flows where it is a consumer, averaging the ABRatio would seem to skew the results towards it being a consumer.
>  
> Would it be more accurate to multiply the ABRatio by either the volume of bytes in the flow or the duration of the flow prior to averaging a host’s ABRatio?  And if so, do you think it’s better to look at that ratio over the volume of data or over time?
> 
> Thx.
> 
> C

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130606/e094fcd9/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130606/e094fcd9/attachment.bin>

More information about the argus mailing list