Ratop output

Carter Bullard carter at qosient.com
Tue Dec 16 08:08:55 EST 2014


Hey Monah,
ratop.1 is a general purpose aggregator with a curses front-end.
So its racluster.1 that displays its aggregation cache for you to look at.
Trans is the number of transactional flow records that have been merged together to create the specific row.  The SrcLoad = SrcBytes / Dur, so it will change, but maybe not increase.

So this is correct behavior. 

When you aggregate flow records together, there are different conditions for each field.  For metrics they are accumulators, bit fields,  averages, max or mins, non-equal rejection or first or last item retention.  So in your fields, many are first value retention, such as the ' suser ' field.  So everything is as it was designed.

What do you want it to do ???

Carter

> On Dec 15, 2014, at 1:08 PM, Monah Baki <monahbaki at gmail.com> wrote:
> 
> Hi all,
> 
> 
> Running the following:
>  ratop -S localhost:561 -s stime proto saddr sport sco daddr dport dco trans sload suser:100 - port 53
> 
> 
> I noticed the first row "trans" and "SrcLoad" increases until you clear the flow list, then a whole new output appears and whatever domain is in the first row same symptom, the "trans" and "SrcLoad" increases till you refresh.
> 
> Here is the output of what happens after the "Clear flow list"
> 
>    13:04:35.095126    udp         172.31.1.8.49268   ZZ         10.1.0.182.domain  ZZ    590 27870.4* s[36]=t............s3.amazonaws.com.....t.
> 
> Clear flow list
> 
>  13:05:06.018174    udp         172.31.1.8.49268   ZZ         10.1.0.182.domain  ZZ    148 31109.3* s[36]=x............support.apple.com.....x
> 
> Clear flow list
> 
>    13:05:23.206770    udp         172.31.1.8.49268   ZZ         10.1.0.182.domain  ZZ    144 24917.1* s[40]={............atdmt-a.akamaihd.net.....{.
> 
> 
> etc etc
> 
> Is there a way to automatic refresh???
> 
> 
> Thanks
> Monah
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20141216/44e9ede6/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2443 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20141216/44e9ede6/attachment.bin>


More information about the argus mailing list