Inter packet arrival times, etc

Carter Bullard via Argus-info argus-info at lists.andrew.cmu.edu
Tue Mar 1 18:37:31 EST 2016 

Hey John,
Well, its working for me, so we have to figure out what your particular issue is …
First thing is to grab the latest code to see if that fixes your issue …

   http://qosient.com/argus/dev/argus-latest.tar.gz  (which is argus-3.0.8.1)
   http://qosient.com/argus/dev/argus-clients-latest.tar.gz (which is argus-3.0.8.2.rc.2)

Next is to see the actual argus and ra command line options you are using, that way we can see that you should be generating the right data, and that you’re printing the right fields.  If you have an /etc/argus.conf file, you may want to use the “-X” as the first option to argus, to eliminate any interference from your system configuration.

This is the kind of output I would expect from printing out data. 

thoth:argus carter$ ra -S localhost -s stime dur sintpkt dintpkt
                 StartTime        Dur      SIntPkt      DIntPkt 
2016/03/01.18:35:47.120828 105232.68*
2016/03/01.18:35:45.370833   0.004182
2016/03/01.18:35:45.371048   0.006204
2016/03/01.18:35:45.389638   0.003608
2016/03/01.18:35:45.389874   0.006610
2016/03/01.18:35:45.783550   0.102185   102.185000
2016/03/01.18:35:45.981787   0.000345     0.345000
2016/03/01.18:35:46.341460   1.792576   100.419898   100.418047
2016/03/01.18:35:46.596191   0.000000
2016/03/01.18:35:46.716520   0.000000
2016/03/01.18:35:46.903525   0.000000
2016/03/01.18:35:46.946131   1.502750   470.739594   470.732813
2016/03/01.18:35:48.365561   1.987141    92.444414    79.240289
2016/03/01.18:35:48.449544   0.195982    16.331833    21.804000
2016/03/01.18:35:48.517958   0.000000
2016/03/01.18:35:48.746586   0.000000


Then if all is odd, then if you can send some of your argus data, I can test to see what could be the problem.
Carter


> On Mar 1, 2016, at 5:43 PM, John T. Myers <myersj0 at gmail.com> wrote:
> 
> I'm using 3.0.8.1.
> 
> I've enabled both -JZ and both fields are still blank.
> 
> I enabled spkts and dpkts, and many records have > 1 packet, still getting blank for all the other fields.
> 
> On Tue, Mar 1, 2016 at 5:36 PM, Carter Bullard <carter at qosient.com> wrote:
> Hey John,
> What version of argus are you using ???
> You will get blanks for the SIntPkt and DIntPkt fields if there aren’t more than 1 packet in the flow record.
> Try printing out at least the spkts and dpkts fields to see that you are getting multiple packets.
> 
> You are not turning on source packet size reporting, which needs the -Z option, so do you mean +dintpkt instead of +spktsz ?????
> 
> Carter
> 
>> On Mar 1, 2016, at 5:29 PM, John T. Myers via Argus-info <argus-info at lists.andrew.cmu.edu> wrote:
>> 
>> Hi,
>> 
>> I'm trying to enable SIntPkt and other similar metrics on live collection against an interface. 
>> 
>> Which Argus options enable this? I've tried -J but it does not work.
>> 
>> The two commands I'm using are:
>> 
>> sudo /usr/local/sbin/argus -i en0 -P 1776 -J
>> 
>> and then trying...
>> 
>> ra -A -S 127.0.0.1:1776 -s +sintpkt +spktsz
>> 
>> The additional fields I'm trying to capture are blank, though.
>> 
>> Thanks!
>> John
> 
>

More information about the argus mailing list