Argus RA generated field description

Carter Bullard carter at qosient.com
Sun Jul 16 10:41:55 EDT 2017 

Oh, and I forgot to mention stcpmax and dtcpmax.  This is specific to TCP and is the maximum bandwidth 
possible given the window size and the tcprtt that is calculated from the syn/synack/ack setup.
You have a theoretic maximum based on the TCP bandwidth product, for both directions.

Carter

> On Jul 16, 2017, at 10:37 AM, Carter Bullard <carter at qosient.com> wrote:
> 
> Hey An,
> Please keep email on the list, if you don’t mind.
> Are you using all these fields ??  That’s pretty cool if you are …
> 
> Many of these fields are/should be self explanatory, as they are simple variations of other fields that are discussed.
> Examples are SrcDur and DstDur.  These are the duration fields but specific to the source and dst sides of the flow.
> 
> Generally if it starts with an ’s' or ‘d', its the source and destination metric of something.  If it starts with a ‘p’, it is
> almost always a “percent” metric.  If it has a [ ‘max’, ‘min’] its usually the max / min of a metric over the file/set of data.
> If it has an “act’ or ‘idl’, these refer to active and idle times, which are reported in the Jitter support (packet dynamics),
> and lastly If it has ‘dd’ or ‘ds’ the first ‘d’ is for ‘delta'.  These may be intended for apps like ratop., maybe not ra.1.
> An example is ‘idle’, which needs state to be calculated.  Ratop.1 has the state to calculate that metric.
> 
> While Argus is used by a large number of groups/sites/people, the open source project is not financially supported.
> As a result, the work is always in progress.  If the fields are in the man pages, they are “done”, if they aren’t, 
> it generally means that there is something missing in the implementation.  All of these fields are in (or are derivable) 
> from the data in argus records, but we may not have complete support for printing, graphic, filtering, sorting, analyzing, etc …
> 
> You should be able to divine the meaning looking at the source code for many of these fields, unless they are placeholders.
> 
> Some of these fields are pretty esoteric, and may relate to specific protocols, like jdelay and ldelay.  These are
> the ‘join delay’ and ‘leave delay’ for multicast IGMP.  See a request to join a multicast group, how long did it take
> to see traffic from the multicast address ...
> 
> If you are just trying to put a face to all the names, please stick to the fields that are in the man pages.
> If you are interested in helping, pick a few of the fields, ones you want to use, and we’ll can discuss,
> unless you want to implement them, then we’ll be most grateful.
> 
> Hope all is most excellent,
> Carter
> 
>> On Jul 16, 2017, at 7:09 AM, Tran, An - 0558 - MITLL <atran at ll.mit.edu <mailto:atran at ll.mit.edu>> wrote:
>> 
>> Hi Carter,
>>  
>> Thank you for the quick response.  Below are the fields that I am unable to find the description for.  Perhaps I have missed it in the man page:
>>  
>> sEnc
>> dEnc
>> Bssid      
>> Ssid
>> SrcStartTime      
>> SrcLastTime        
>> SrcDur   
>> DstDur  
>> DstStartTime      
>> DstLastTime       
>> Usually zero
>> RelTime                
>> SIntPktMax        
>> SIntPktMin
>> DIntPktMax        
>> SIntPktMin         
>> SIPActMax          
>> SIPActMin           
>> DIPActMax         
>> DIPActMin          
>> SIPIdlMax            
>> SIPIdlMin             
>> DIPIdlMax           
>> DIPIdlMin
>> Response
>> dlDur     
>> dlsTime 
>> dllTime 
>> dsPkts   
>> ddPkts  
>> dsPkts   
>> ddPkts  
>> dsBytes 
>> ddBytes               
>> pdsPkt  
>> pddPkt 
>> pdsByte               
>> pddByte
>> JDelay   
>> LDelay   
>> Bins        
>> STcpMax              
>> DTcpMax
>>  
>> -------------
>> An Tran
>> MIT Lincoln Laboratory
>> Group 58: Cyber Analytics & Decision Systems
>> 781-981-8232 <tel:781-981-8232> (w)
>> 781-879-0468 <tel:781-879-0468> (m)
>> atran at ll.mit.edu <mailto:atran at ll.mit.edu>
>>  
>> From: Carter Bullard [mailto:carter at qosient.com <mailto:carter at qosient.com>] 
>> Sent: Saturday, July 15, 2017 5:21 PM
>> To: Tran, An - 0558 - MITLL <atran at ll.mit.edu <mailto:atran at ll.mit.edu>>
>> Cc: argus-info at lists.andrew.cmu.edu <mailto:argus-info at lists.andrew.cmu.edu>
>> Subject: Re: [ARGUS] Argus RA generated field description
>>  
>> Hey An,
>> The man pages are pretty lengthy ... Is there something specific that you are interested in ???
>> Carter
>>  <http://qosient.com/>	
>>  
>> Carter Bullard  <mailto:carter at qosient.com>• CTO
>> 150 E 57th Street Suite 12D
>> New York, New York 10022-2795
>> Phone +1.212.588.9133 • Mobile +1.917.497.9494
>> 
>> On Jul 15, 2017, at 4:34 PM, Tran, An - 0558 - MITLL <atran at ll.mit.edu <mailto:atran at ll.mit.edu>> wrote:
>> 
>> Hello,
>>  
>> I am wondering if there are detailed description on the fields that are generated from running RA?  I have checked the wiki and I see some fields that are documented but many are missing. 
>>  
>> Thanks,
>>  
>> --An 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20170716/189d4dd8/attachment.html>

More information about the argus mailing list