Inter packet arrival times, etc
John T. Myers via Argus-info
argus-info at lists.andrew.cmu.edu
Tue Mar 1 19:00:50 EST 2016
Carter,
I am running the most recent versions of both argus and ra.
I am not using an /etc/argus.conf file.
Here's what I'm running:
sudo /usr/local/sbin/argus -XJZ -P 1776
Here's my output:
$ ra -S 127.0.0.1:1776 -s stime dur sintpkt dintpkt spkts dpkts
StartTime Dur SIntPkt DIntPkt SrcPkts DstPkts
18:57:03.409875 4.706442 7 7
18:57:04.511125 0.011859 2 1
18:57:04.511759 2.522828 17 13
18:57:05.086039 0.013790 1 1
18:57:07.152224 0.079377 4 4
18:57:07.158213 0.003873 1 1
18:57:07.162894 0.355735 9 7
18:57:07.181655 2.867576 2 0
18:57:07.218432 0.076724 2 1
18:57:07.386298 3.072719 2 0
18:57:07.648119 0.849830 4 4
18:57:08.050722 1.124733 3 3
18:57:08.443340 4.793475 7 7
18:57:08.815269 0.000000 1 0
18:57:08.815880 0.000000 1 0
18:57:09.361360 0.000000 1 1
18:57:12.299458 0.082107 2 1
18:57:13.121569 0.409717 4 0
18:57:13.121967 0.410232 4 0
18:57:13.326743 2.867111 2 0
18:57:13.532298 3.071525 2 0
18:57:13.566275 4.931359 7 7
18:57:16.108317 0.000000 1 0
18:57:16.367749 0.000000 1 0
18:57:16.367961 0.000000 1 0
18:57:17.384924 0.076498 2 1
18:57:18.493563 0.006411 2 1
18:57:18.822255 4.951610 7 7
18:57:19.170851 0.007446 2 1
18:57:19.471014 0.000000 1 0
18:57:19.675868 3.072499 2 0
18:57:20.343892 0.010916 1 1
18:57:21.929061 0.000000 1 0
18:57:22.134655 1.023289 2 0
18:57:22.462428 0.076372 2 1
18:57:22.954646 4.716694 2 3
18:57:24.100218 4.836413 30 29
18:57:25.820692 3.072441 2 0
On Tue, Mar 1, 2016 at 6:37 PM, Carter Bullard <carter at qosient.com> wrote:
> Hey John,
> Well, its working for me, so we have to figure out what your particular
> issue is …
> First thing is to grab the latest code to see if that fixes your issue …
>
> http://qosient.com/argus/dev/argus-latest.tar.gz (which is
> argus-3.0.8.1)
> http://qosient.com/argus/dev/argus-clients-latest.tar.gz (which is
> argus-3.0.8.2.rc.2)
>
> Next is to see the actual argus and ra command line options you are using,
> that way we can see that you should be generating the right data, and that
> you’re printing the right fields. If you have an /etc/argus.conf file, you
> may want to use the “-X” as the first option to argus, to eliminate any
> interference from your system configuration.
>
> This is the kind of output I would expect from printing out data.
>
> thoth:argus carter$ ra -S localhost -s stime dur sintpkt dintpkt
> StartTime Dur SIntPkt DIntPkt
> 2016/03/01.18:35:47.120828 105232.68*
> 2016/03/01.18:35:45.370833 0.004182
> 2016/03/01.18:35:45.371048 0.006204
> 2016/03/01.18:35:45.389638 0.003608
> 2016/03/01.18:35:45.389874 0.006610
> 2016/03/01.18:35:45.783550 0.102185 102.185000
> 2016/03/01.18:35:45.981787 0.000345 0.345000
> 2016/03/01.18:35:46.341460 1.792576 100.419898 100.418047
> 2016/03/01.18:35:46.596191 0.000000
> 2016/03/01.18:35:46.716520 0.000000
> 2016/03/01.18:35:46.903525 0.000000
> 2016/03/01.18:35:46.946131 1.502750 470.739594 470.732813
> 2016/03/01.18:35:48.365561 1.987141 92.444414 79.240289
> 2016/03/01.18:35:48.449544 0.195982 16.331833 21.804000
> 2016/03/01.18:35:48.517958 0.000000
> 2016/03/01.18:35:48.746586 0.000000
>
>
> Then if all is odd, then if you can send some of your argus data, I can
> test to see what could be the problem.
> Carter
>
>
> > On Mar 1, 2016, at 5:43 PM, John T. Myers <myersj0 at gmail.com> wrote:
> >
> > I'm using 3.0.8.1.
> >
> > I've enabled both -JZ and both fields are still blank.
> >
> > I enabled spkts and dpkts, and many records have > 1 packet, still
> getting blank for all the other fields.
> >
> > On Tue, Mar 1, 2016 at 5:36 PM, Carter Bullard <carter at qosient.com>
> wrote:
> > Hey John,
> > What version of argus are you using ???
> > You will get blanks for the SIntPkt and DIntPkt fields if there aren’t
> more than 1 packet in the flow record.
> > Try printing out at least the spkts and dpkts fields to see that you are
> getting multiple packets.
> >
> > You are not turning on source packet size reporting, which needs the -Z
> option, so do you mean +dintpkt instead of +spktsz ?????
> >
> > Carter
> >
> >> On Mar 1, 2016, at 5:29 PM, John T. Myers via Argus-info <
> argus-info at lists.andrew.cmu.edu> wrote:
> >>
> >> Hi,
> >>
> >> I'm trying to enable SIntPkt and other similar metrics on live
> collection against an interface.
> >>
> >> Which Argus options enable this? I've tried -J but it does not work.
> >>
> >> The two commands I'm using are:
> >>
> >> sudo /usr/local/sbin/argus -i en0 -P 1776 -J
> >>
> >> and then trying...
> >>
> >> ra -A -S 127.0.0.1:1776 -s +sintpkt +spktsz
> >>
> >> The additional fields I'm trying to capture are blank, though.
> >>
> >> Thanks!
> >> John
> >
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20160301/fac9f447/attachment.html>
More information about the argus
mailing list