<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto">@ 3.5Gbps we'll tickle the 64-bit counters in argus with a 30s flow duration ... should not be a problem but .... very interesting regarding LBL_ALIGN not being defined ... maybe a real hint ...<div><br></div><div>Carter<br id="lineBreakAtBeginningOfSignature"><div dir="ltr"><table id="sig" width="360" cellspacing="0" cellpadding="0" border-spacing="0" class="" style="font-family: UICTFontTextStyleBody; -webkit-text-size-adjust: auto; font-size: 13pt; width: 360px; margin: 0px; padding: 0px;"><tbody class=""><tr class=""><td width="142" class="" style="width: 142px; margin: 0px; padding: 0px;"><a href="http://qosient.com/" title="QoSient" class="" style="text-decoration: none; border: none; color: rgb(149, 79, 114);"><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAR8AAABdCAYAAACcsGKeAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAACy9JREFUeNrsndt140YShmt85n2RgbERCI5gMBEMNgLBEZiOQHAEtCOgHIFGEZCKgNoIyI2AzMArnGkcy5jqC9DVF4D/dw4eRElEo6vr7+oLqokAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMBN8CGTctSaz1/frivMlJTi7apGn53VBcBixKdW193bVTKNWsfQ2F/eroO6QDixad+uT8pWheFvX9U12OUs2Ebe2/4RZgFzaN6u3dt1ebv+EryelJMUqGIRSmUnH5scBWzSjb5zD9OAqb1n34hOwoLDXRflNCWqXczhJWyynWkTiA/wasiXCKLDXTtEQpM7iWPgjqGB+IAY8zmukc5e9Yyt+r/S8J2NapBPjqLW/80G5rBSWex1Ujbi7FMpu2wdxKuD+ICQbCPO0dSOc0h7REHGiOdiEJ12xnyRbpgN8QHJwvZQ8zHDqszJEgVVMNN3HA228mVsE4gPiB627ynOJHBB9gnTFubSOneoOhpEaKr41Op/hgu2y48yZadeGcL2S6IGU1qiMDTib3XE1c02YMeAyHN9beiSKiI1Cc+R0i957yBAk+rmCH8CM6ZZ9ilufqH8J3hbgwA1N9x4ONvV8Ckwo/OKLj4hJypjCdCtTkLXxK9sAeA64km2ELA1RDy50hqGh7e2DN9RvLkesP7Oa5/qxkty4o7iTrLmyhNhDgwsUHxOmuFLuWDH++vGhl97wnwPyEh8fnCMHDiR+ZmWk9OlL+tVM5QEACTAJj79kOoX5vOv6loKvfD8qlHzW+798foJyFZ8NpoG+usCn/WR+CRkDzdiay5KxQZAkC3cXM9uwc9T0+3O/XSEDYZAzne853w+Gn7Xb8Yrmc9/W3AF9pHPKyM29+rzGFRMNBkjV/WBifIq1agON+5Y3GsgueYPrxdSTiumHM59hNOOPuvnef6z8IbWMtFbPyT5d6D79SL+RTXuykEgXlQ9hxDDCyN8/T0/Z+Zc9cg2j8L3KEd20c19XVX9PCubSDl5Z/l53EHcqzqpLOV8UXV1negPpcPf/TjSg94uf07o+CZ1cNyQaw2vJhQRhl4l+eetPpL8PpyOZBJ+xRwe7gPYxSddr8Qk/fi7daKzn1nObkI59xQ+w+ik9lVpvmQtcBW+ERK2TthwJ5JbkTO9m9etXHyk7CKRKdPmV51Qu6lyFp+PBvHhQqe18MI4dH9UzO+eczk7B4NfmSFVbemt96psvquM/b37PU9PzO8eVB0saf+Wq+A+OQj4wdEm/ff1+8PulD2k51t2lojXtZylip5/tgxbXyfUY2Vpxzomtacu89BcYl5BcuWnIXN+o536m8IiXhsy5ySSyhywFQzbc458TJk2hxzVlUX4N6RPmjf39SJd5LPTlLOzlLNSz6Jrg3UAnwn2esWe1p2KohAcVrYBnLg2hMNS79PZ5j5SiZCU+OiE5zKzI201zn0UEp8d+SflKzR2vZBM7vRk4lPTuuAcrvA0iHQK2Y1gg5/iUNzermZh4vOkqTefhYVSI2hbz7bXCEe4G5LfnxdNfCQcM3eOngJbahxXehOmLnOk1HtpJbmvAA1DgDJz8dkEjBh1k/a1h39dArQfTnzLpYrP2vCN7vYUb/d3ReGzEE4RoeFZ6wzFhxMH6QwMNfklZjPVqeTUwkXw+yE+mYgPN8/zFLi8vg1+igh15L5HSXo/kq/47CjOfCV3n9bDv0I485YRYYjPwsXnxIhAjGFpR3ETgrXkvg/kJFQWH/EpKF6mzdKjAwoxIexaxgris1zxaSntSuCJ4udhLlUv6nIctu9ku4/4bCjuQgk3r1LM8K8mYnvZ5C4+F+HJqhw5zXzGPaV9Mzy1+LlEQz5J+n3E5xhZmOfaImbHPhbILhfx0eXzedX0fmuCe56zw/+Me9I/Ipf7kSnnl8j3/6yug2H4s6e4qUq4N9NDJ7zjvv9TZu38v7mWTyc+15WLzxzhIU0InyKj41eHcoXmoARIl6K2oHhHZpNG6F4C3/PKtJvcckOdc3XCHxzVsuduReJTzTTSHeOAKXKpPDNimmofVh8J/aSJlocdtzGoHedkpK+SeWaIj/Cwq16R+Hya2UtWkXtWU9ThIqgxG/hnQ7tpI5ThXxl3bGCC+Oga91p2OTeOz2wbrqXMIHfNbFh8VQLE1ckDnB6M+WhoSFy60Ybks8ql6Jk4EZkjPq8Jn+N1FI2WGdTtcErIjqm3KnJ99e30T7j48sSHlOG4XMdLF5975rOvaAqiTv/AiGETWXz+R8hNvchhl84h64WHt4Vm/uEZTUGUJSxBg4zF56zpOX5Z8PNy55CdEfmI8+wwZAUQHyPcMTktLXPlS3f66pRNgufRzymjwMpStpSk2KQ6Xnn8Ee69bPE5aKKfJZ5xzp080E+QPnqIT6oGXmgiuFzI4RwpRFoLFx9d9NP3ut2CnrMhfnn9t4mOMiXxe0hqx2jjljhkYhsgKD69Ubk5kQdaxuTzcKoE56xTT6t4Yb47RQ/7hXmWnE6tTLEf7FXT6YAFi0+P7v2dPeW98bAg/UFvc46hOWTSwBuHcqUWfIpcRm6v1j1cfPniM5z3xDl3rgJkerP695nOcGWiwNirfy1T37ltpuOGPOcI931mRLqEm68DXY5fqeTcksJzNJTV17FSnWnWP9eJ0uYTcoHLldQ6/m9HfpkMLxQp6ZUHMfP51EL1UedQryanzqGXKQ1llEokvie55FlT2JJfGtUYZWzJL01oR/I5nDcQn3WIT2Fx7jpxuG86ObQKZNAY0R/n1FMbwCWwIxaaqGdKWg1f8dEdbRNDeCvH+6xBfE6pnNwkQCmOVi7IfgSwdOPbRhSgRuiZpA81tEWEc6LNjsKc2xU6Ot1M6HzXID5J87rbBOgUKQpqyZzYPFSj0z2/tAC1mudqZ3wX10lIHaS3E+qIOiFn0Qmh9OpkObrXLYlPmVqAbNni9hRmOdomOhLH47o0vEug4acpmpubHTDEmeymObY5DV1KfEyd41ZAdAvizzdbq/gUFPfYptkNRhcJbT2dslGO53KgnUQDcx3nXwzOV88wcmv4Tp+0pLYTJ7YTxLq0DHXnRoBS4mPqHN6fM1bMsPfW8L1rFR8ifqW1cLRDRwHnGyvLMIxzzK0qVKMq6f3VqN/tyP3guqFC6sjia3v2QXgbjXPXyhFswrqNZKOTKks3skmrPjs62GCu8EuKjy0yG0R3R/oXpoe26HJumatzLVV8OtKfWFsy992MRkZdaEd0GQ6FuKROzAw5BJ17Sc9VtOR+HPLUa+cZcUqLT2jbDGWcMrxfqvjY5nltVxfLGVvPgrpeT5TXOzy1sPj6OrOpIW0Ey3oSskMI8Xk/bJe0zXHmMy9VfGzTDNmIz3iMfBIWnA3lvXW+nThc5IYCsZ6v8YgMTsQnactRfCQ6xsE2PkP7JYvPnEjyRMyixofIDlnS3xuxPhF/yuSY/m3lM307S+xAy8vLWyjnvnv37AXzjP17Yy8ZPGNjsc97e3wl+VQe5Uh0rxQuXUj5zjalRlAOqgyS7a9m7hGy/VWB6rP/3nv6Pr3yWV0vgdqIKNtIcx0AAMD2uKYl6xJVBAAIOSwzjcVj7d0BANwoHZkn/DqIEAAgZBRkWy3qVx18Xp9oIGIAAJNA2Jbph6W8Ka8GDC9CdqhiAOLzYUFlbYk/hnfMsJT4Qt8vKw5LyMMKWv+7z5RX8nUAQMYiJLFzekp2PQAA+EcU4/qGe+zEUgCAG2FIteH6CkeLKgMAhIiINkqMuOFZhyoCID0fbuQ5a/o2v1PS9FNKAQAAAAAAAAAAAAAAAAAAAAAAAAAASM3/BRgAaVGndQa4eeAAAAAASUVORK5CYII=" alt="QoSient" class="" style="border: none; height: 48px; line-height: 48px; font-size: 48px; font-family: 'Gill Sans', sans-serif; color: rgb(0, 0, 0);" data-unique-identifier=""></a></td><td width="20" class="" style="width: 16px; min-width: 16px; max-width: 16px; margin: 0px; padding: 0px;"> </td><td class="" style="margin: 0px; padding: 0px; border-collapse: collapse;"><table id="sig2" cellspacing="0" cellpadding="0" border-spacing="0" class=""><tbody class=""><tr class=""><td class="" style="white-space: nowrap; font-family: 'Gill Sans Light', sans-serif;"><a href="mailto:carter@qosient.com" class="" style="text-decoration: none; border: none; color: rgb(149, 79, 114);"><span class="" style="line-height: 16px; font-size: 16px; color: rgb(0, 0, 176);">Carter Bullard</span> </a><span class="" style="line-height: 14px; font-size: 12px;">•</span> <span class="" style="line-height: 14px; font-size: 12px;">CEO</span></td></tr><tr class=""><td class="" style="white-space: nowrap; font-family: 'Gill Sans Light', sans-serif;"><span class="" style="line-height: 14px; font-size: 12px;">250 E 53rd Street Suite 501</span></td></tr><tr class=""><td class="" style="white-space: nowrap; font-family: 'Gill Sans Light', sans-serif;"><span class="" style="line-height: 14px; font-size: 12px;">New York, New York 10022</span></td></tr><tr class=""><td class="" style="white-space: nowrap; font-family: 'Gill Sans Light', sans-serif;"><span class="" style="line-height: 12px; font-size: 12px;">Phone +1.212.588.9133 • Mobile +1.917.497.9494<br></span></td></tr></tbody></table></td></tr></tbody></table></div><div dir="ltr"><br><blockquote type="cite">On Nov 11, 2024, at 1:08 PM, Ming Fu <Ming.Fu@esentire.com> wrote:<br><br></blockquote></div><blockquote type="cite"><div dir="ltr"><span>Hi Carter,</span><br><span></span><br><span>It happens on machine with 10G and machine with multiple 1G interfaces, however, the total throughput is no more than 3.5G at peak. </span><br><span></span><br><span>Regards,</span><br><span>Ming</span><br><span>-----Original Message-----</span><br><span>From: Carter Bullard <carter@qosient.com> </span><br><span>Sent: Monday, November 11, 2024 11:36 AM</span><br><span>To: Ming Fu <Ming.Fu@esentire.com></span><br><span>Cc: Argus <argus-info@lists.andrew.cmu.edu></span><br><span>Subject: Re: [ARGUS] the packet and byte count are unreasonably high</span><br><span></span><br><span>And one last question … what is the max bandwidth of the links you're monitoring ?  (10 Gbps ??)</span><br><span>Carter</span><br><span></span><br><span></span><br><blockquote type="cite"><span>On Nov 11, 2024, at 11:26 AM, Carter Bullard <carter@qosient.com> wrote:</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>Hey Ming,</span><br></blockquote><blockquote type="cite"><span>Important question … what is the status of the LBL_ALIGN variable in your ./include/argus_config.h file ???</span><br></blockquote><blockquote type="cite"><span>On my systems it is defined …</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>  % grep LBL_ALIGN ./include/argus_config.h</span><br></blockquote><blockquote type="cite"><span>  include/argus_config.h:#define LBL_ALIGN /**/</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>Carter</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><blockquote type="cite"><span>On Nov 11, 2024, at 10:42 AM, Carter Bullard <carter@qosient.com> wrote:</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>Hey Ming,</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>Based on your earlier email … this should work to generate an argus file with about 24 records in it that would include errant flows as a well as reasonable flows for the same flow ??</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span> % ra -w /tmp/argus.big.counter.flow.out -r argus.vsniff1.2024-10-11-22* - src host 10.61.6.12 and port 62275 </span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>If you can grab even tighter times, if you can get the specific flow between 2024-10-11.22:15:06 - 2024-10-11.22:21:15 </span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>That should catch normal -> errant -> normal for a single flow …</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>All ra* programs can write its output to an argus data file, so by using the filter, you can grab the flows you want and create a manageable file ...</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>Carter</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>On Nov 11, 2024, at 10:23 AM, Ming Fu <Ming.Fu@esentire.com> wrote:</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>Hi Carter,</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>The problem does not happen often, so unless we search for it on purpose across a large set of archives, we may not see it. We notice the problem mostly because we hit it during a query. I can't reproduce the problem in testing environment.</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>Is there a command to extract just the affected connection from the original archive file into a smaller archive? There are barriers other than just the size to share the full archive.</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>Regards</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>Ming</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>-----Original Message-----</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>From: Carter Bullard <carter@qosient.com> </span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>Sent: Monday, November 11, 2024 10:12 AM</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>To: Ming Fu <Ming.Fu@esentire.com></span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>Cc: Argus <argus-info@lists.andrew.cmu.edu></span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>Subject: Re: [ARGUS] the packet and byte count are unreasonably high</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>Hey Ming,</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>We were working on this issue last year about this same time …. And in June/July (?) you thought we had fixed the problem …</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>No problem, just wanting to know if it went away and then came back ??  Or maybe we were just lucky ??</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>Can you share a recent binary file of a record that is tooooo big ??</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>Carter</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote></blockquote><blockquote type="cite"><span></span><br></blockquote><span></span><br></div></blockquote></div></body></html>