Difference between record and trans?

Jesse Bowling via Argus-info argus-info at lists.andrew.cmu.edu
Wed Jan 11 20:59:06 EST 2017 

Hi,

I was working with racount, with the intention of using it to generate summary statistics what could later be aggregated, and found something odd. First I found that apparently at least some of the ra options for formatting aren’t effective with racount (specifically, I wanted to generate “CSV” formatted data, and the client appears to ignore the options provided in ./support/Config/excel.rc ). While then comparing the performance of racount v/s racluster (which does respect formatting options) I found an odd inconsistency:

# time racluster -m proto -r cooked_data_tag.argus -s proto trans:20 pkts:20 spkts:20 dpkts:20 bytes:20 sbytes:20 dbytes:20
 Proto                Trans              TotPkts              SrcPkts              DstPkts             TotBytes             SrcBytes             DstBytes
   udp              3191659              7003372              3499666              3503706           1389726491            380807954           1008918537
   tcp               297920             21915099              7519746             14395353          17408556156           1823768894          15584787262
  icmp                31380                69180                34807                34373              5328628              2666022              2662606

real	0m5.328s
user	0m5.207s
sys	0m0.118s
# time racount -M proto -r cooked_data_tag.argus
racount   records     total_pkts     src_pkts       dst_pkts       total_bytes        src_bytes          dst_bytes
    sum   2965835     28987651       11054219       17933432       18803611275        2207242870         16596368405
Protocol Summary
   icmp   24813       69180          34807          34373          5328628            2666022            2662606
    tcp   193869      21915099       7519746        14395353       17408556156        1823768894         15584787262
    udp   2747152     7003372        3499666        3503706        1389726491         380807954          1008918537

real	0m2.716s
user	0m2.592s
sys	0m0.122s
#

While most of the data agrees between these two clients, the "records" field of racount does not agree with the "trans" field of racluster/ra. Which leads me to ask the questions: is this expected, and if it is, how are these fields calculated (what do they represent)? How does racount arrive at it's data so much more quickly than racluster, and what options might tune racluster to perform similarly? How difficult would it be to add support to racount for the formatting options available in ra? :)

Cheers,

Jesse

--
Jesse Bowling

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 204 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20170111/e4daf038/attachment.sig>

More information about the argus mailing list