Inter packet arrival times, etc
Carter Bullard via Argus-info
argus-info at lists.andrew.cmu.edu
Tue Mar 1 19:17:16 EST 2016
Hey John,
Cool … it will be really odd if you can’t find it ;O)
Carter
> On Mar 1, 2016, at 7:13 PM, John T. Myers <myersj0 at gmail.com> wrote:
>
> Well that long shot worked! Must be a rogue argus running!
>
> On Tue, Mar 1, 2016 at 7:08 PM, Carter Bullard <carter at qosient.com <mailto:carter at qosient.com>> wrote:
> Hey John,
> Hmmmm, well its long shot, but maybe you have another argus running on port 1776 ???
> Try this type of call just to make sure …
>
> thoth:argus carter$ argus -XJZ -w - | ra -s stime dur sintpkt dintpkt spkts dpkts
> ArgusAlert: 01 Mar 16 19:07:49.309170 started
> ArgusAlert: 01 Mar 16 19:07:49.314159 ArgusGetInterfaceStatus: interface en0 is up
> StartTime Dur SIntPkt DIntPkt SrcPkts DstPkts
> 2016/03/01.19:07:49.450105 4.903775 114.038508 108.971445 44 46
> 2016/03/01.19:07:50.169456 4.755407 951.058188 951.062812 6 6
> 2016/03/01.19:07:51.740083 0.000000 1 0
> 2016/03/01.19:07:54.527459 4.951990 119.199281 119.199672 43 43
> 2016/03/01.19:07:56.070868 4.577656 953.943500 953.951312 6 6
> 2016/03/01.19:07:57.956988 0.000000 1 0
>
> Carter
>
> > On Mar 1, 2016, at 7:00 PM, John T. Myers <myersj0 at gmail.com <mailto:myersj0 at gmail.com>> wrote:
> >
> > Carter,
> >
> > I am running the most recent versions of both argus and ra.
> >
> > I am not using an /etc/argus.conf file.
> >
> > Here's what I'm running:
> > sudo /usr/local/sbin/argus -XJZ -P 1776
> >
> > Here's my output:
> >
> > $ ra -S 127.0.0.1:1776 <http://127.0.0.1:1776/> -s stime dur sintpkt dintpkt spkts dpkts
> >
> > StartTime Dur SIntPkt DIntPkt SrcPkts DstPkts
> >
> > 18:57:03.409875 4.706442 7 7
> >
> > 18:57:04.511125 0.011859 2 1
> >
> > 18:57:04.511759 2.522828 17 13
> >
> > 18:57:05.086039 0.013790 1 1
> >
> > 18:57:07.152224 0.079377 4 4
> >
> > 18:57:07.158213 0.003873 1 1
> >
> > 18:57:07.162894 0.355735 9 7
> >
> > 18:57:07.181655 2.867576 2 0
> >
> > 18:57:07.218432 0.076724 2 1
> >
> > 18:57:07.386298 3.072719 2 0
> >
> > 18:57:07.648119 0.849830 4 4
> >
> > 18:57:08.050722 1.124733 3 3
> >
> > 18:57:08.443340 4.793475 7 7
> >
> > 18:57:08.815269 0.000000 1 0
> >
> > 18:57:08.815880 0.000000 1 0
> >
> > 18:57:09.361360 0.000000 1 1
> >
> > 18:57:12.299458 0.082107 2 1
> >
> > 18:57:13.121569 0.409717 4 0
> >
> > 18:57:13.121967 0.410232 4 0
> >
> > 18:57:13.326743 2.867111 2 0
> >
> > 18:57:13.532298 3.071525 2 0
> >
> > 18:57:13.566275 4.931359 7 7
> >
> > 18:57:16.108317 0.000000 1 0
> >
> > 18:57:16.367749 0.000000 1 0
> >
> > 18:57:16.367961 0.000000 1 0
> >
> > 18:57:17.384924 0.076498 2 1
> >
> > 18:57:18.493563 0.006411 2 1
> >
> > 18:57:18.822255 4.951610 7 7
> >
> > 18:57:19.170851 0.007446 2 1
> >
> > 18:57:19.471014 0.000000 1 0
> >
> > 18:57:19.675868 3.072499 2 0
> >
> > 18:57:20.343892 0.010916 1 1
> >
> > 18:57:21.929061 0.000000 1 0
> >
> > 18:57:22.134655 1.023289 2 0
> >
> > 18:57:22.462428 0.076372 2 1
> >
> > 18:57:22.954646 4.716694 2 3
> >
> > 18:57:24.100218 4.836413 30 29
> >
> >
> > 18:57:25.820692 3.072441 2 0
> >
> >
> > On Tue, Mar 1, 2016 at 6:37 PM, Carter Bullard <carter at qosient.com <mailto:carter at qosient.com>> wrote:
> > Hey John,
> > Well, its working for me, so we have to figure out what your particular issue is …
> > First thing is to grab the latest code to see if that fixes your issue …
> >
> > http://qosient.com/argus/dev/argus-latest.tar.gz <http://qosient.com/argus/dev/argus-latest.tar.gz> (which is argus-3.0.8.1)
> > http://qosient.com/argus/dev/argus-clients-latest.tar.gz <http://qosient.com/argus/dev/argus-clients-latest.tar.gz> (which is argus-3.0.8.2.rc.2)
> >
> > Next is to see the actual argus and ra command line options you are using, that way we can see that you should be generating the right data, and that you’re printing the right fields. If you have an /etc/argus.conf file, you may want to use the “-X” as the first option to argus, to eliminate any interference from your system configuration.
> >
> > This is the kind of output I would expect from printing out data.
> >
> > thoth:argus carter$ ra -S localhost -s stime dur sintpkt dintpkt
> > StartTime Dur SIntPkt DIntPkt
> > 2016/03/01.18:35:47.120828 105232.68*
> > 2016/03/01.18:35:45.370833 0.004182
> > 2016/03/01.18:35:45.371048 0.006204
> > 2016/03/01.18:35:45.389638 0.003608
> > 2016/03/01.18:35:45.389874 0.006610
> > 2016/03/01.18:35:45.783550 0.102185 102.185000
> > 2016/03/01.18:35:45.981787 0.000345 0.345000
> > 2016/03/01.18:35:46.341460 1.792576 100.419898 100.418047
> > 2016/03/01.18:35:46.596191 0.000000
> > 2016/03/01.18:35:46.716520 0.000000
> > 2016/03/01.18:35:46.903525 0.000000
> > 2016/03/01.18:35:46.946131 1.502750 470.739594 470.732813
> > 2016/03/01.18:35:48.365561 1.987141 92.444414 79.240289
> > 2016/03/01.18:35:48.449544 0.195982 16.331833 21.804000
> > 2016/03/01.18:35:48.517958 0.000000
> > 2016/03/01.18:35:48.746586 0.000000
> >
> >
> > Then if all is odd, then if you can send some of your argus data, I can test to see what could be the problem.
> > Carter
> >
> >
> > > On Mar 1, 2016, at 5:43 PM, John T. Myers <myersj0 at gmail.com <mailto:myersj0 at gmail.com>> wrote:
> > >
> > > I'm using 3.0.8.1.
> > >
> > > I've enabled both -JZ and both fields are still blank.
> > >
> > > I enabled spkts and dpkts, and many records have > 1 packet, still getting blank for all the other fields.
> > >
> > > On Tue, Mar 1, 2016 at 5:36 PM, Carter Bullard <carter at qosient.com <mailto:carter at qosient.com>> wrote:
> > > Hey John,
> > > What version of argus are you using ???
> > > You will get blanks for the SIntPkt and DIntPkt fields if there aren’t more than 1 packet in the flow record.
> > > Try printing out at least the spkts and dpkts fields to see that you are getting multiple packets.
> > >
> > > You are not turning on source packet size reporting, which needs the -Z option, so do you mean +dintpkt instead of +spktsz ?????
> > >
> > > Carter
> > >
> > >> On Mar 1, 2016, at 5:29 PM, John T. Myers via Argus-info <argus-info at lists.andrew.cmu.edu <mailto:argus-info at lists.andrew.cmu.edu>> wrote:
> > >>
> > >> Hi,
> > >>
> > >> I'm trying to enable SIntPkt and other similar metrics on live collection against an interface.
> > >>
> > >> Which Argus options enable this? I've tried -J but it does not work.
> > >>
> > >> The two commands I'm using are:
> > >>
> > >> sudo /usr/local/sbin/argus -i en0 -P 1776 -J
> > >>
> > >> and then trying...
> > >>
> > >> ra -A -S 127.0.0.1:1776 <http://127.0.0.1:1776/> -s +sintpkt +spktsz
> > >>
> > >> The additional fields I'm trying to capture are blank, though.
> > >>
> > >> Thanks!
> > >> John
> > >
> > >
> >
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20160301/2670dada/attachment.html>
More information about the argus
mailing list