rabins, ragraph and aggregation of protocols

[Carter Bullard]

Hey Jesper,
There are a number of places where packets can be lost when the load gets high.  What loads are you talking about, 1Gbps, 10Gbps ???

If you are port mirroring, the switch can drop copied packets.  This is obvious when one tries to mirror the ingress and egress stream of a single interface out a single output interface.  If you are mirroring into 2 interfaces, then packet loss usually moves to the capture cards on the sensor, but not always.  Port mirroring bugs do exist in a lot of router and switch vendors boxes.  So a description of your setup will help.

The OS that argus is running on can drop packets.  Many systems aren't spec'd to run at full network line rate.  This issue, however, is not really a problem on newer systems, but it is a real consideration.

And the Libpcap interface can drop packets, this happens when argus isn't reading packets fast enough.

So what version, what speeds, what equipment, all comes into play.

Glad to hear that its working most of the time for you.
Send email and we'll get through this process for you and the list !!

Carter

> On Feb 11, 2014, at 9:24 AM, Jesper Skou Jensen <jesper.skou.jensen at uni-c.dk> wrote:
> 
> Hi guys,
> 
> I'm using rabins and ragraph to create some nice PNG graphs and I would like to be able to show only specific protols and aggregate the rest into one.
> 
> At the moment I use "rabins proto pkts -M 1s -r input.ra -w output.rabins" to creatate rabins files every time I rotate my files and then later on I trawl those rabins files with ragraph and create the PNG graphs.
> 
> The .rabins files contain tcp, udp, esp, icmp, llc and various other protocols and when I create the PNG graphs they are shown in various colors.
> 
> I would like to keep tcp, udp and aggregate the rest into a combined misc bin. Is that possible? As in to show tcp as green, udp as blue and misc as grey, or something like that.
> 
> 
> --
> Regards
> Jesper
>