Inter packet arrival times, etc
John T. Myers via Argus-info
argus-info at lists.andrew.cmu.edu
Tue Mar 1 19:13:55 EST 2016
Well that long shot worked! Must be a rogue argus running!
On Tue, Mar 1, 2016 at 7:08 PM, Carter Bullard <carter at qosient.com> wrote:
> Hey John,
> Hmmmm, well its long shot, but maybe you have another argus running on
> port 1776 ???
> Try this type of call just to make sure …
>
> thoth:argus carter$ argus -XJZ -w - | ra -s stime dur sintpkt dintpkt
> spkts dpkts
> ArgusAlert: 01 Mar 16 19:07:49.309170 started
> ArgusAlert: 01 Mar 16 19:07:49.314159 ArgusGetInterfaceStatus:
> interface en0 is up
> StartTime Dur SIntPkt DIntPkt SrcPkts
> DstPkts
> 2016/03/01.19:07:49.450105 4.903775 114.038508 108.971445 44
> 46
> 2016/03/01.19:07:50.169456 4.755407 951.058188 951.062812 6
> 6
> 2016/03/01.19:07:51.740083 0.000000 1
> 0
> 2016/03/01.19:07:54.527459 4.951990 119.199281 119.199672 43
> 43
> 2016/03/01.19:07:56.070868 4.577656 953.943500 953.951312 6
> 6
> 2016/03/01.19:07:57.956988 0.000000 1
> 0
>
> Carter
>
> > On Mar 1, 2016, at 7:00 PM, John T. Myers <myersj0 at gmail.com> wrote:
> >
> > Carter,
> >
> > I am running the most recent versions of both argus and ra.
> >
> > I am not using an /etc/argus.conf file.
> >
> > Here's what I'm running:
> > sudo /usr/local/sbin/argus -XJZ -P 1776
> >
> > Here's my output:
> >
> > $ ra -S 127.0.0.1:1776 -s stime dur sintpkt dintpkt spkts dpkts
> >
> > StartTime Dur SIntPkt DIntPkt SrcPkts DstPkts
> >
> > 18:57:03.409875 4.706442 7 7
> >
> > 18:57:04.511125 0.011859 2 1
> >
> > 18:57:04.511759 2.522828 17 13
> >
> > 18:57:05.086039 0.013790 1 1
> >
> > 18:57:07.152224 0.079377 4 4
> >
> > 18:57:07.158213 0.003873 1 1
> >
> > 18:57:07.162894 0.355735 9 7
> >
> > 18:57:07.181655 2.867576 2 0
> >
> > 18:57:07.218432 0.076724 2 1
> >
> > 18:57:07.386298 3.072719 2 0
> >
> > 18:57:07.648119 0.849830 4 4
> >
> > 18:57:08.050722 1.124733 3 3
> >
> > 18:57:08.443340 4.793475 7 7
> >
> > 18:57:08.815269 0.000000 1 0
> >
> > 18:57:08.815880 0.000000 1 0
> >
> > 18:57:09.361360 0.000000 1 1
> >
> > 18:57:12.299458 0.082107 2 1
> >
> > 18:57:13.121569 0.409717 4 0
> >
> > 18:57:13.121967 0.410232 4 0
> >
> > 18:57:13.326743 2.867111 2 0
> >
> > 18:57:13.532298 3.071525 2 0
> >
> > 18:57:13.566275 4.931359 7 7
> >
> > 18:57:16.108317 0.000000 1 0
> >
> > 18:57:16.367749 0.000000 1 0
> >
> > 18:57:16.367961 0.000000 1 0
> >
> > 18:57:17.384924 0.076498 2 1
> >
> > 18:57:18.493563 0.006411 2 1
> >
> > 18:57:18.822255 4.951610 7 7
> >
> > 18:57:19.170851 0.007446 2 1
> >
> > 18:57:19.471014 0.000000 1 0
> >
> > 18:57:19.675868 3.072499 2 0
> >
> > 18:57:20.343892 0.010916 1 1
> >
> > 18:57:21.929061 0.000000 1 0
> >
> > 18:57:22.134655 1.023289 2 0
> >
> > 18:57:22.462428 0.076372 2 1
> >
> > 18:57:22.954646 4.716694 2 3
> >
> > 18:57:24.100218 4.836413 30 29
> >
> >
> > 18:57:25.820692 3.072441 2 0
> >
> >
> > On Tue, Mar 1, 2016 at 6:37 PM, Carter Bullard <carter at qosient.com>
> wrote:
> > Hey John,
> > Well, its working for me, so we have to figure out what your particular
> issue is …
> > First thing is to grab the latest code to see if that fixes your issue …
> >
> > http://qosient.com/argus/dev/argus-latest.tar.gz (which is
> argus-3.0.8.1)
> > http://qosient.com/argus/dev/argus-clients-latest.tar.gz (which is
> argus-3.0.8.2.rc.2)
> >
> > Next is to see the actual argus and ra command line options you are
> using, that way we can see that you should be generating the right data,
> and that you’re printing the right fields. If you have an /etc/argus.conf
> file, you may want to use the “-X” as the first option to argus, to
> eliminate any interference from your system configuration.
> >
> > This is the kind of output I would expect from printing out data.
> >
> > thoth:argus carter$ ra -S localhost -s stime dur sintpkt dintpkt
> > StartTime Dur SIntPkt DIntPkt
> > 2016/03/01.18:35:47.120828 105232.68*
> > 2016/03/01.18:35:45.370833 0.004182
> > 2016/03/01.18:35:45.371048 0.006204
> > 2016/03/01.18:35:45.389638 0.003608
> > 2016/03/01.18:35:45.389874 0.006610
> > 2016/03/01.18:35:45.783550 0.102185 102.185000
> > 2016/03/01.18:35:45.981787 0.000345 0.345000
> > 2016/03/01.18:35:46.341460 1.792576 100.419898 100.418047
> > 2016/03/01.18:35:46.596191 0.000000
> > 2016/03/01.18:35:46.716520 0.000000
> > 2016/03/01.18:35:46.903525 0.000000
> > 2016/03/01.18:35:46.946131 1.502750 470.739594 470.732813
> > 2016/03/01.18:35:48.365561 1.987141 92.444414 79.240289
> > 2016/03/01.18:35:48.449544 0.195982 16.331833 21.804000
> > 2016/03/01.18:35:48.517958 0.000000
> > 2016/03/01.18:35:48.746586 0.000000
> >
> >
> > Then if all is odd, then if you can send some of your argus data, I can
> test to see what could be the problem.
> > Carter
> >
> >
> > > On Mar 1, 2016, at 5:43 PM, John T. Myers <myersj0 at gmail.com> wrote:
> > >
> > > I'm using 3.0.8.1.
> > >
> > > I've enabled both -JZ and both fields are still blank.
> > >
> > > I enabled spkts and dpkts, and many records have > 1 packet, still
> getting blank for all the other fields.
> > >
> > > On Tue, Mar 1, 2016 at 5:36 PM, Carter Bullard <carter at qosient.com>
> wrote:
> > > Hey John,
> > > What version of argus are you using ???
> > > You will get blanks for the SIntPkt and DIntPkt fields if there aren’t
> more than 1 packet in the flow record.
> > > Try printing out at least the spkts and dpkts fields to see that you
> are getting multiple packets.
> > >
> > > You are not turning on source packet size reporting, which needs the
> -Z option, so do you mean +dintpkt instead of +spktsz ?????
> > >
> > > Carter
> > >
> > >> On Mar 1, 2016, at 5:29 PM, John T. Myers via Argus-info <
> argus-info at lists.andrew.cmu.edu> wrote:
> > >>
> > >> Hi,
> > >>
> > >> I'm trying to enable SIntPkt and other similar metrics on live
> collection against an interface.
> > >>
> > >> Which Argus options enable this? I've tried -J but it does not work.
> > >>
> > >> The two commands I'm using are:
> > >>
> > >> sudo /usr/local/sbin/argus -i en0 -P 1776 -J
> > >>
> > >> and then trying...
> > >>
> > >> ra -A -S 127.0.0.1:1776 -s +sintpkt +spktsz
> > >>
> > >> The additional fields I'm trying to capture are blank, though.
> > >>
> > >> Thanks!
> > >> John
> > >
> > >
> >
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20160301/25c2db3f/attachment.html>
More information about the argus
mailing list