pause (or ssilence and dsilence)

Carter Bullard carter at qosient.com
Tue Jun 16 16:36:58 EDT 2015 

Hey /Elof,
Yes, new metrics are a good thing. The trick is what to call it, and how to generate it based on our existing methods and tools.

We have a set of ‘delta’ metrics that are already designed into the clients, such as DeltaStartTime, DeltaDuration, DeltaSrcPkts, etc... that were designed for programs like racluster.1 and ratop.1.  ratop.1 manages a list of argus records, sorts them based on whatever criteria you want, which sets up the notion of “the previous” record for calculating the type of metrics you’re interested in.  We have a routine called ArgusSubtractRecord() and ArgusIntersectRecord(), which provide the diffs / differences between this record and any other record, but we’ll have to add a little to formulate this inter-record time information.

So, …, there are 4 timestamps in an argus record.  SrcStartTime, SrcEndTime, DstStartTime and DstEndTime, from these 4 timestamps we formulate the SrcTime (minimum of all timestamps) and EndTime, (maximum of all timestamps).   So, …, do you want src inter-record time, dst inter-record time and just inter-record time ???

   irtime  - inter-record idle time, the idle time between the end and start of two records
   sirtime - src inter-record idle time
   dirtime - dst inter-record idle time

When we print the value for the first record, should it be 0.0, or is it blank ???
You will have to generate the list of records, in the proper order for these values to be meaningful, and you will have to print out the list in order to generate the values.

We’ll need to be able to print, filter, graph and process these values, as we do with every printable field.  But what do you want to do about sorting on the values, as that is a bit of a puzzle.  If we sort on a value that is based on sorting, what does the value mean ???

Do you want to label the flow with the value, and then be able to process that value, like sort, print, filter etc ??????

If we can get some agreement, then we should add it, sooner than later.

Carter

> On Jun 16, 2015, at 11:36 AM, elof2 at sentor.se wrote:
> 
> 
> Hi Carter!
> 
> Could the following feature be added to ra:
> 
> Say you have a tcp flow (e.g. smtp) that send some packets (EHLO, banner, MAIL, RCPT, DATA, etc). Then it pause for 45 seconds. Then it continues with a new MAIL, RCPT, etc. It keeps doing this with various pauses between the mails until hours later it is FINished.
> 
> In this traffic between A and B, I would like to see how long those pauses are. Something like this:
>          sport      dport state   pause
> 12:00:00 A:32123 -> B:25 SPA_SPA   0.0
> 12:00:45 A:32123 -> B:25  PA_PA    44.35
> 12:05:00 A:32123 -> B:25   A_A     254.1
> 
> ...where pause (or whatever you want to call it) is simply:
> stime minus ltime from the row before.
> 
> 
> That's it really.
> A "dumb" field that simply display the pause between records (rows) displayed on screen so I don't have to use a calculator and manually subtract and calculate the difference.
> 
> 
> 
> 
> If you want to do it a bit more complex, you could have two fields, in the same manner as wireshark has capture filters and display filters:
> ra could distinguish between 'displayed' pauses and pauses within the 'flow'.
> 
> rpause - pause between printed records on screen
>  rpause = stime minus ltime from the row before.
> 
> fpause - pause since the last record for this particular flow
>  fpause = stime minus ltime from the previous record within this flow.
> 
> 
> Example:
> When line 4 is to be printed, we have a NTP-packet in line 3 which would set the pause to 134.1 seconds.
> 
>          sport      dport state   pause
> 12:00:00 A:32123 -> B:25 SPA_SPA   0.0
> 12:00:45 A:32123 -> B:25  PA_PA    44.35
> 12:03:00 Q:123   -> Z:123  CON     134.1
> 12:05:00 A:32123 -> B:25   A_A     119.95
> 
> Instead, we cold have:
>          sport      dport state   rpause  fpause
> 12:00:00 A:32123 -> B:25 SPA_SPA   0.0     0.00
> 12:00:45 A:32123 -> B:25  PA_PA    44.35   44.35
> 12:03:00 Q:123   -> Z:123  CON     134.1   0.00
> 12:05:00 A:32123 -> B:25   A_A     119.95  254.1
> 
> 
> (perhaps 'rpause' should be called 'dpause' as in "displayed pause", but 'd' usually indicate "dst", so I go for 'r' as in Record or Row)
> 
> 
> 
> What do you say?
> 
> 
> 
> (
> If the flow records store stime and ltime for *each direction*, we could measure the pauses in the client data stream and pauses in the server responses.
> ...but I don't think the records store a src-stime, src-ltime, dst-stime and dst-ltime.
> )
> 
> /Elof
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20150616/162d8eec/attachment.bin>

More information about the argus mailing list