From eric at qosient.com Mon Feb 11 13:27:33 2019 From: eric at qosient.com (Eric Kinzie) Date: Mon, 11 Feb 2019 13:27:33 -0500 Subject: [ARGUS] Invert sorting using RA_SORT_ALGORITHMS ? In-Reply-To: References: Message-ID: <20190211182733.GB72609@new-host-3.home> On Mon Feb 11 12:57:46 -0500 2019, Drew Dixon wrote: > Hi there, > > Somewhat straightforward question here, but was unable to find it in the > docs (forgive me if I missed it) but is there a way to invert the sort on a > field using the RA_SORT_ALGORITHMS="field" parameter? > > I'm looking to do this with ratop...and would like to sort based on flow > duration (runtime) however it seems to sort in ascending order of flow > duration by default so I'm just stuck with a ton of 0.000 flows at the top > of ratop rather than what I desire which would be descending order so I can > see the longest running flows at the top. > > RA_SORT_ALGORITHMS="runtime" > > Just for fun I tried RA_SORT_ALGORITHMS="-runtime" but that's not supported > it seems. > > Thanks! > > -Drew If you press 'v' in ratop the sort order will be reversed. Not sure if there is a way to specify order with RA_SORT_ALGORITHMS. Eric From argus-info at lists.andrew.cmu.edu Wed Feb 27 14:01:13 2019 From: argus-info at lists.andrew.cmu.edu (Reed, Joel via Argus-info) Date: Wed, 27 Feb 2019 19:01:13 +0000 Subject: [ARGUS] ARGUSBug Argus server occasionally generates an invalid meter DSR in a flow record Message-ID: >Description: The Argus server occasionally generates a flow record with a meter DSR that is not properly parsed by the ra client. This causes the packet, byte, and appbytes counts to be incorrect, usually containing at least some count values from the previous flow record. Below I have included a partial dump of the of the problematic flow record. The meter DSR subtype 0x04 (includes app bytes) has a qualifier of 0x00. The meter DSR parser (common/argus_client.c:~2223) does not have a case to process a meter DSR subtype 0x04, qualifier of 0x00. Partial hex dump of the flow record: 01: 13 20 00 39 -- Type 0x10 (FAR), version 3, 0x20 continuation, length 0x39 02: 01 03 00 03 -- Transport DSR 03: 00 00 00 00 | 04: e1 12 61 ff | 05: 02 01 01 05 -- Flow DSR 06: a0 5b 56 4a | 07: a0 5b 5e a9 | 08: 06 00 03 ff | 09: 08 01 00 00 | 0a: 03 02 18 05 -- Time DSR 0b: 5c 76 ad d0 | 0c: 00 07 88 2f | 0d: 5c 76 ad f0 | 0e: 00 05 41 67 | 0f: 10 04 00 05 -- Meter DSR, subtype 0x04, qualifier 0x00, length 0x05 10: 30 00 00 01 | 11: 40 00 01 02 | 12: 01 f4 00 00 | 13: 48 00 01 02 | 14: 30 05 00 1e -- Network DSR 15: ... >How-To-Repeat: Unknown. We see approximately one of these per hour. >Fix: Unknown. >Originator: Joel Reed > >Organization: ORNL >ARGUS support: none >Release: argus-3.0 >Product: argus >Synopsis: Argus server occasionally generates an invalid meter DSR in a flow record >Class: sw-bug >Severity: non-critical >Priority: low >Environment: ARGUS: Argus Version 3.0.8.2 RA: Ra Version 3.0.8.2 -------------- next part -------------- An HTML attachment was scrubbed... URL: From carter at qosient.com Wed Feb 27 14:14:20 2019 From: carter at qosient.com (carter at qosient.com) Date: Wed, 27 Feb 2019 14:14:20 -0500 Subject: [ARGUS] ARGUSBug Argus server occasionally generates an invalid meter DSR in a flow record In-Reply-To: References: Message-ID: <471AF488-9279-4082-9794-A954AD4AAB47@qosient.com> Hey Joel, Can you send a binary argus file that has one of the records in it ??? Is this record coming directly from argus or is it coming from a client ? radium.1 ??? There is a lot of data compression going on with the Meter DSR, and the client library will attempt to pack the metrics into as little space as possible, such that, if all the values are less than 256, then all the metrics are reported as a char array. I suspect that the Meter DSR has been compressed, but the final type description is getting dropped. What do the argus-clients do with this record ? do they print out anything at all or do they jump past this DSR ??? Hope all is going well down in Tennesseeeeeeeeeee land !!!! Carter > On Feb 27, 2019, at 2:01 PM, Reed, Joel via Argus-info wrote: > > >Description: > The Argus server occasionally generates a flow record with a meter DSR that is not properly parsed by the ra client. This causes the packet, byte, and appbytes counts to be incorrect, usually containing at least some count values from the previous flow record. Below I have included a partial dump of the of the problematic flow record. The meter DSR subtype 0x04 (includes app bytes) has a qualifier of 0x00. The meter DSR parser (common/argus_client.c:~2223) does not have a case to process a meter DSR subtype 0x04, qualifier of 0x00. > > Partial hex dump of the flow record: > > 01: 13 20 00 39 -- Type 0x10 (FAR), version 3, 0x20 continuation, length 0x39 > 02: 01 03 00 03 -- Transport DSR > 03: 00 00 00 00 | > 04: e1 12 61 ff | > 05: 02 01 01 05 -- Flow DSR > 06: a0 5b 56 4a | > 07: a0 5b 5e a9 | > 08: 06 00 03 ff | > 09: 08 01 00 00 | > 0a: 03 02 18 05 -- Time DSR > 0b: 5c 76 ad d0 | > 0c: 00 07 88 2f | > 0d: 5c 76 ad f0 | > 0e: 00 05 41 67 | > 0f: 10 04 00 05 -- Meter DSR, subtype 0x04, qualifier 0x00, length 0x05 > 10: 30 00 00 01 | > 11: 40 00 01 02 | > 12: 01 f4 00 00 | > 13: 48 00 01 02 | > 14: 30 05 00 1e -- Network DSR > 15: ... > > >How-To-Repeat: > Unknown. We see approximately one of these per hour. > > >Fix: > Unknown. > > >Originator: Joel Reed > > >Organization: > ORNL > >ARGUS support: none > >Release: argus-3.0 > >Product: argus > >Synopsis: Argus server occasionally generates an invalid meter DSR in a flow record > >Class: sw-bug > >Severity: non-critical > >Priority: low > > >Environment: > > ARGUS: Argus Version 3.0.8.2 > RA: Ra Version 3.0.8.2 > -------------- next part -------------- An HTML attachment was scrubbed... URL: From argus-info at lists.andrew.cmu.edu Wed Feb 27 15:56:36 2019 From: argus-info at lists.andrew.cmu.edu (Reed, Joel via Argus-info) Date: Wed, 27 Feb 2019 20:56:36 +0000 Subject: [ARGUS] ARGUSBug Argus server occasionally generates an invalid meter DSR in a flow record In-Reply-To: <471AF488-9279-4082-9794-A954AD4AAB47@qosient.com> References: <471AF488-9279-4082-9794-A954AD4AAB47@qosient.com> Message-ID: Hey Carter, I have attached a binary argus file with the problem record. It was captured directly from Argus. When the record has been put in a file by itself, the bytes and packets are 0 like below. When the record is in the file with another record before it, the client prints the bytes and packet values from the previous record. $ ra -r prob_rec.argus StartTime Flgs Proto SrcAddr Sport SrcPkts SrcBytes Dir DstAddr Dport DstPkts DstBytes State 2019-02-27T10:33:36.493615 EST * * tcp 160.91.94.169.2049 0 0 ? 160.91.86.74.1023 0 0 CON All is well here. Hope all is well with you! Thanks, Joel On Feb 27, 2019, at 2:14 PM, carter at qosient.com wrote: Hey Joel, Can you send a binary argus file that has one of the records in it ??? Is this record coming directly from argus or is it coming from a client ? radium.1 ??? There is a lot of data compression going on with the Meter DSR, and the client library will attempt to pack the metrics into as little space as possible, such that, if all the values are less than 256, then all the metrics are reported as a char array. I suspect that the Meter DSR has been compressed, but the final type description is getting dropped. What do the argus-clients do with this record ? do they print out anything at all or do they jump past this DSR ??? Hope all is going well down in Tennesseeeeeeeeeee land !!!! Carter On Feb 27, 2019, at 2:01 PM, Reed, Joel via Argus-info > wrote: >Description: The Argus server occasionally generates a flow record with a meter DSR that is not properly parsed by the ra client. This causes the packet, byte, and appbytes counts to be incorrect, usually containing at least some count values from the previous flow record. Below I have included a partial dump of the of the problematic flow record. The meter DSR subtype 0x04 (includes app bytes) has a qualifier of 0x00. The meter DSR parser (common/argus_client.c:~2223) does not have a case to process a meter DSR subtype 0x04, qualifier of 0x00. Partial hex dump of the flow record: 01: 13 20 00 39 -- Type 0x10 (FAR), version 3, 0x20 continuation, length 0x39 02: 01 03 00 03 -- Transport DSR 03: 00 00 00 00 | 04: e1 12 61 ff | 05: 02 01 01 05 -- Flow DSR 06: a0 5b 56 4a | 07: a0 5b 5e a9 | 08: 06 00 03 ff | 09: 08 01 00 00 | 0a: 03 02 18 05 -- Time DSR 0b: 5c 76 ad d0 | 0c: 00 07 88 2f | 0d: 5c 76 ad f0 | 0e: 00 05 41 67 | 0f: 10 04 00 05 -- Meter DSR, subtype 0x04, qualifier 0x00, length 0x05 10: 30 00 00 01 | 11: 40 00 01 02 | 12: 01 f4 00 00 | 13: 48 00 01 02 | 14: 30 05 00 1e -- Network DSR 15: ... >How-To-Repeat: Unknown. We see approximately one of these per hour. >Fix: Unknown. >Originator: Joel Reed > >Organization: ORNL >ARGUS support: none >Release: argus-3.0 >Product: argus >Synopsis: Argus server occasionally generates an invalid meter DSR in a flow record >Class: sw-bug >Severity: non-critical >Priority: low >Environment: ARGUS: Argus Version 3.0.8.2 RA: Ra Version 3.0.8.2 -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: prob_rec.argus Type: application/octet-stream Size: 356 bytes Desc: prob_rec.argus URL: