[ARGUS] Question about Flow features

Carter Bullard carter at qosient.com
Thu Mar 4 18:56:41 EST 2021


Hey Kolja,
Seems that you’re using the tools as intended, sorry you’re not getting the numbers you want …
The current implementation of open source argus supports reporting the max and min packet size seen.  This is there to find things like MTU failure.   We currently aren’t calculating packet size mean/stdev, but that would be easy to add, as the mechanics are already in argus to do this.

For inter packet arrival times, however all the metrics you’re interested in are in the records, if you configure argus to generate them (it doesn’t do that by default).
sintpkt and dintpkt print the mean inter packet arrival times for any flow, the rest of them are printed using names like sintpktmax, sintpktmin … for every type of inter packet arrival we process, (active, idle, flow) (see ra.1 man page) …the stddev is in the records (n, sums of squares) but I don’t see a printing routine for them … that could easily be added to the clients in a short time, so that may need to be done …

Packet size and inter packet arrival time frequency distributions support is already in the open source client software, waiting for argus to generate the numbers … if there is a big interest we can put that into argus-3.0.8.3 (intended for release as argus-3.0.8.4 this year).   As you can surmise, it has not been a hot item in the group, so its development is on a slow path.

Some of the features your looking for are in the commercial extensions to argus … but that doesn’t mean the open source project can’t implement them … its all about demand on the mailing list …. If the inter packet arrival times are working for you and all you need is stdev, then I can add that and put it into the argus-3.0.8.3 distribution for testing …

If max and min packet size isn’t enough, lets put mean and stdev into the structs in the short term.
The frequency distribution reporting for open source argus will take until end of spring to get to ...

Carter

> On Mar 2, 2021, at 12:55 PM, Kolja Straub via Argus-info <argus-info at lists.andrew.cmu.edu> wrote:
> 
> Hi,
> 
> I hope you're all good.
> 
> I currently have some difficulties generating some flow features I want.
> 
> 1.
> Is there a possibility to get the standard deviation of packet sizes for the standard flows that ra generates?
> I only found smeanpkts as a flow field so I wonder if there is the same for standard deviation, but unfortunately I did not found one.
> The same would be useful for inter arrival time of packets.
> In both cases I tried generating them myself using racluster with aggregation key none (to keep the the flows as they are) and RACLUSTER_AGG_METRIC on different attributes (bytes for the packet size, sintpkt for the interarrival times), but it didn't work out.
> 
> 2. 
> Is it possible to get a distribution of packet sizes in a flow or the size of the first packet? For example, 5 packets of size 200 and 4 of size 100 and first packet has size 100.
> These are some flow features I found in some papers but I don't have an idea how to get it if it's even possible.
> 
> In both cases I wanted to ask if this is possible with the standard clients or if it would be necessary to change something in the code to get what I want.
> 
> Thanks in advance
> Kolja
> 
> 
> 
> Sent with ProtonMail <https://protonmail.com/> Secure Email.
> 
> _______________________________________________
> argus mailing list
> argus at qosient.com
> https://pairlist1.pair.net/mailman/listinfo/argus

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20210304/2d776e25/attachment.html>


More information about the argus mailing list