headers
Barry Kolts | 1 Aug 2008 07:18

Changing Color in ragraph

Hi all,
 
Is it possible to change the colors of the lines and legend in ragraph?
 
Thanks in advance,
Barry
Permalink | Reply | 4 comments |
headers
Carter Bullard | 1 Aug 2008 08:03

Re: Changing Color in ragraph

Hey Barry,
The colors are determined by several tables that are hard-coded, but you can
change the colors to anything you like.

The idea is that colors are assigned either by a specific value, such as port
numbers, or they are handed out first come first served.  The color values are
in hard-coded tables, with a color for both upper and lower halves of the graph,
(there is a slight darker shade for the lower half of the graph for the same color).

So the idea would be to generate tables for your specific value, or change the colors
in the existing tables to suit your particular need.  check out the Perl script and look at
the colors[] array definitions, and if its way too weird, send email and I'll describe it
in detail.  If you have a way you would like to specify the color, send that, and I'll see
how I could get it into the current scheme.

Carter

On Aug 1, 2008, at 1:18 AM, Barry Kolts wrote:

Hi all,
 
Is it possible to change the colors of the lines and legend in ragraph?
 
Thanks in advance,
Barry

Permalink | Reply | 3 comments |
headers
Barry Kolts | 1 Aug 2008 10:33

Re: Changing Color in ragraph

Hi Carter,
 
Thanks for the quick response. I see the colors[] array and those colors are OK. My graphs come out with the same color for 'in' and 'out':
 
I just compiled the 3.0.0 clients. Am I missing a conf file or a parameter?
My command line is :
ragraph sploss dploss -M 1m -r $input_file -split -fill -height 500 -width 800 -upper 100 -title "Packet_Loss" -vertical-label "Percent_Packet_loss" -w $output_file
 
Any thoughts?
 
Thanks,
Barry
----- Original Message -----
Sent: Friday, August 01, 2008 1:03 AM
Subject: Re: [ARGUS] Changing Color in ragraph

Hey Barry,
The colors are determined by several tables that are hard-coded, but you can
change the colors to anything you like.

The idea is that colors are assigned either by a specific value, such as port
numbers, or they are handed out first come first served.  The color values are
in hard-coded tables, with a color for both upper and lower halves of the graph,
(there is a slight darker shade for the lower half of the graph for the same color).

So the idea would be to generate tables for your specific value, or change the colors
in the existing tables to suit your particular need.  check out the Perl script and look at
the colors[] array definitions, and if its way too weird, send email and I'll describe it
in detail.  If you have a way you would like to specify the color, send that, and I'll see
how I could get it into the current scheme.

Carter

On Aug 1, 2008, at 1:18 AM, Barry Kolts wrote:

Hi all,
 
Is it possible to change the colors of the lines and legend in ragraph?
 
Thanks in advance,
Barry

Attachment (bandwith_31.png): application/octet-stream, 62 KiB
Permalink | Reply | 2 comments |
headers
Carter Bullard | 1 Aug 2008 16:42

Re: Changing Color in ragraph

Hey Barry,
Doesn't appear that the graph you sent was generated by the command line, but if it was,
wow, have we got a lot of bugs to fix ;o)

So, the colors for SrcLoad and DstLoad aren't really the same, they are off by just a little.
normally the graph would be split, so that you would be graphing the SrcLoad above the
x axis and the DstLoad below the xaxis.

Since you are using the "-split" option, we need to change the color assignment strategy?
Don't like the split option?

Carter

On Aug 1, 2008, at 4:33 AM, Barry Kolts wrote:

Hi Carter,
 
Thanks for the quick response. I see the colors[] array and those colors are OK. My graphs come out with the same color for 'in' and 'out':
<bandwith_31.png>
 
I just compiled the 3.0.0 clients. Am I missing a conf file or a parameter?
My command line is :
ragraph sploss dploss -M 1m -r $input_file -split -fill -height 500 -width 800 -upper 100 -title "Packet_Loss" -vertical-label "Percent_Packet_loss" -w $output_file
 
Any thoughts?
 
Thanks,
Barry
----- Original Message -----
Sent: Friday, August 01, 2008 1:03 AM
Subject: Re: [ARGUS] Changing Color in ragraph

Hey Barry,
The colors are determined by several tables that are hard-coded, but you can
change the colors to anything you like.

The idea is that colors are assigned either by a specific value, such as port
numbers, or they are handed out first come first served.  The color values are
in hard-coded tables, with a color for both upper and lower halves of the graph,
(there is a slight darker shade for the lower half of the graph for the same color).

So the idea would be to generate tables for your specific value, or change the colors
in the existing tables to suit your particular need.  check out the Perl script and look at
the colors[] array definitions, and if its way too weird, send email and I'll describe it
in detail.  If you have a way you would like to specify the color, send that, and I'll see
how I could get it into the current scheme.

Carter

On Aug 1, 2008, at 1:18 AM, Barry Kolts wrote:

Hi all,
 
Is it possible to change the colors of the lines and legend in ragraph?
 
Thanks in advance,
Barry



Permalink | Reply | 1 comment |
headers
Barry Kolts | 2 Aug 2008 02:26

Re: Changing Color in ragraph

Hi Carter,
 
Thanks for your response. I'm sure there aren't a lot of bugs to fix or there would be more complaints than mine. It is something I am doing wrong.  You are probable right about the graph not being generated by the command line I sent. Today we ran some of the reports I had created that worked under rc34 and almost all of them were broke. So I did something wrong when I complied 3.0.0 or misconfigured something. I'll have to do some investigating and see where I went wrong. Thanks for your help.
 
Have a great weekend,
Barry
----- Original Message -----
Sent: Friday, August 01, 2008 9:42 AM
Subject: Re: [ARGUS] Changing Color in ragraph

Hey Barry,
Doesn't appear that the graph you sent was generated by the command line, but if it was,
wow, have we got a lot of bugs to fix ;o)

So, the colors for SrcLoad and DstLoad aren't really the same, they are off by just a little.
normally the graph would be split, so that you would be graphing the SrcLoad above the
x axis and the DstLoad below the xaxis.

Since you are using the "-split" option, we need to change the color assignment strategy?
Don't like the split option?

Carter

On Aug 1, 2008, at 4:33 AM, Barry Kolts wrote:

Hi Carter,
 
Thanks for the quick response. I see the colors[] array and those colors are OK. My graphs come out with the same color for 'in' and 'out':
<bandwith_31.png>
 
I just compiled the 3.0.0 clients. Am I missing a conf file or a parameter?
My command line is :
ragraph sploss dploss -M 1m -r $input_file -split -fill -height 500 -width 800 -upper 100 -title "Packet_Loss" -vertical-label "Percent_Packet_loss" -w $output_file
 
Any thoughts?
 
Thanks,
Barry
----- Original Message -----
Sent: Friday, August 01, 2008 1:03 AM
Subject: Re: [ARGUS] Changing Color in ragraph

Hey Barry,
The colors are determined by several tables that are hard-coded, but you can
change the colors to anything you like.

The idea is that colors are assigned either by a specific value, such as port
numbers, or they are handed out first come first served.  The color values are
in hard-coded tables, with a color for both upper and lower halves of the graph,
(there is a slight darker shade for the lower half of the graph for the same color).

So the idea would be to generate tables for your specific value, or change the colors
in the existing tables to suit your particular need.  check out the Perl script and look at
the colors[] array definitions, and if its way too weird, send email and I'll describe it
in detail.  If you have a way you would like to specify the color, send that, and I'll see
how I could get it into the current scheme.

Carter

On Aug 1, 2008, at 1:18 AM, Barry Kolts wrote:

Hi all,
 
Is it possible to change the colors of the lines and legend in ragraph?
 
Thanks in advance,
Barry



Permalink | Reply | 0 comments |
headers
Terry Burton | 5 Aug 2008 12:35
Picon
Favicon

Possible to filter on src vid != dst vid?

Hi

I am beginning to use Argus to investigate inter-subnet traffic flows
on our network (roughly speaking one /16 divided into ~150 /24s), most
recently with regard to analysing packet loss with variants of the
following command:

ratop -m matrix/24 proto -S localhost:562 -S localhost:563 -s+svid
-s+dvid -s+loss -s+ploss - \
tcp and src net 123.123.0.0/16 and dst net 123.123.0.0/16

Output as follows:

ratop -S 127.0.0.1:562 127.0.0.1:563 -m matrix proto - remote 'src net
123.123.0.0/16 and dst net 123.123.0.0/16 ...
Rank       StartTime    Flgs  Proto            SrcAddr  Sport   Dir
        DstAddr  Dport  TotPkts   TotBytes State   sVid   dVid
Loss    pLoss
   1 15:52:12.250749  M *       tcp       123.123.94.0 *         ->
  123.123.121.0 *         21156    4115792   CON    120      5
10510 33.19017
   2 15:52:10.668253  M *       tcp        123.123.8.0 *         ->
   123.123.42.0 *          7446    2260934   CON     40      5
3213 30.14354
   3 15:52:12.250749  M *       tcp       123.123.94.0 *         ->
  123.123.121.0 *          6191    1217900   CON    120      5
3079 33.21467
   4 15:52:10.981508  M *       tcp       123.123.36.0 *         ->
  123.123.133.0 *          5871    2937490   CON      5     36
1835 23.81261
   5 15:52:10.652194  M *       tcp       123.123.95.0 *         ->
  123.123.216.0 *          2602    1947372   CON    216     90
955 26.84846
   6 15:52:14.407818  M *       tcp       123.123.42.0 *         ->
  123.123.108.0 *          3434     570022   FIN    108     30
1600 31.78387
   7 15:52:10.279885  M *       tcp      123.123.107.0 *         ->
  123.123.108.0 *          1999    1175320   CON    108    108
657 24.73644
   8 15:52:12.575023  M *       tcp       123.123.37.0 *        <?>
   123.123.38.0 *          1780     188408   CON     36     36
769 30.16869
   9 15:52:12.720005  * *       tcp      123.123.120.0 *         ->
  123.123.120.0 *          1592     952308   FIN    120    120
550 25.67693
  10 15:52:13.406317  M *       tcp       123.123.95.0 *         ->
  123.123.133.0 *          1195    1106198   RST      5     90
407 25.40574

I note that the loss statistics are unrealistically high at 20-35%
packet loss per flow (with no drops reported by the kernel) but I have
not yet had the opportunity to investigate what it is exactly that
Argus is measuring so I am not too alarmed by this. I'm happy to
investigate this myself, however from a quick search of the mailing
list I was unable to find a description of the Argus strategy for
packet loss measurement and think that a precise description might be
of value on the NSM wiki.

However my real question is this: Is there some way of asserting a
filter along the lines of "src vid != dst vid" so that I see only
inter-VLAN flows as I'm not interested in seeing the inter-subnet
traffic on "shared networks"?

Many thanks,

Tez
Permalink | Reply | 3 comments |
headers
Carter Bullard | 5 Aug 2008 13:51

Re: Possible to filter on src vid != dst vid?

Hey Terry,
The numbers don't look quite right, but you never know with loss.

The pLoss is calculated as:
   pLoss = ( loss * 100.0 )/ Pkts

Its really straight forward to see if the reported value is close at all.  If not send some records and I'll
check it out.

Loss, for TCP, is determined by either missing sequence numbers, retransmitted pkts, or breaks in the
selective ack sequences.  To look at the code its not at all clear, but we want to do this fast so its pretty
ugly code.  

Of course, the accuracy of the report is dependent on where along the path you are.  One probe may seen
retransmissons, but a downstream probe may not, so we're trying to correlate the full duplex set of
packets to see if we can 'discover' loss.   As a result, you can get negative loss reported, in a flow status
record, due to an over report in a previous record.

If you want more detail, just ask questions on the list.  If I can't answer, somebody else may chime in :o)

Carter


Carter Bullard
QoSient LLC
150 E. 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax

-----Original Message-----
From: "Terry Burton" <tez <at> terryburton.co.uk>

Date: Tue, 5 Aug 2008 11:35:24 
To: Argus<argus-info <at> lists.andrew.cmu.edu>
Subject: [ARGUS] Possible to filter on src vid != dst vid?


Hi

I am beginning to use Argus to investigate inter-subnet traffic flows
on our network (roughly speaking one /16 divided into ~150 /24s), most
recently with regard to analysing packet loss with variants of the
following command:

ratop -m matrix/24 proto -S localhost:562 -S localhost:563 -s+svid
-s+dvid -s+loss -s+ploss - \
tcp and src net 123.123.0.0/16 and dst net 123.123.0.0/16

Output as follows:

ratop -S 127.0.0.1:562 127.0.0.1:563 -m matrix proto - remote 'src net
123.123.0.0/16 and dst net 123.123.0.0/16 ...
Rank       StartTime    Flgs  Proto            SrcAddr  Sport   Dir
        DstAddr  Dport  TotPkts   TotBytes State   sVid   dVid
Loss    pLoss
   1 15:52:12.250749  M *       tcp       123.123.94.0 *         ->
  123.123.121.0 *         21156    4115792   CON    120      5
10510 33.19017
   2 15:52:10.668253  M *       tcp        123.123.8.0 *         ->
   123.123.42.0 *          7446    2260934   CON     40      5
3213 30.14354
   3 15:52:12.250749  M *       tcp       123.123.94.0 *         ->
  123.123.121.0 *          6191    1217900   CON    120      5
3079 33.21467
   4 15:52:10.981508  M *       tcp       123.123.36.0 *         ->
  123.123.133.0 *          5871    2937490   CON      5     36
1835 23.81261
   5 15:52:10.652194  M *       tcp       123.123.95.0 *         ->
  123.123.216.0 *          2602    1947372   CON    216     90
955 26.84846
   6 15:52:14.407818  M *       tcp       123.123.42.0 *         ->
  123.123.108.0 *          3434     570022   FIN    108     30
1600 31.78387
   7 15:52:10.279885  M *       tcp      123.123.107.0 *         ->
  123.123.108.0 *          1999    1175320   CON    108    108
657 24.73644
   8 15:52:12.575023  M *       tcp       123.123.37.0 *        <?>
   123.123.38.0 *          1780     188408   CON     36     36
769 30.16869
   9 15:52:12.720005  * *       tcp      123.123.120.0 *         ->
  123.123.120.0 *          1592     952308   FIN    120    120
550 25.67693
  10 15:52:13.406317  M *       tcp       123.123.95.0 *         ->
  123.123.133.0 *          1195    1106198   RST      5     90
407 25.40574

I note that the loss statistics are unrealistically high at 20-35%
packet loss per flow (with no drops reported by the kernel) but I have
not yet had the opportunity to investigate what it is exactly that
Argus is measuring so I am not too alarmed by this. I'm happy to
investigate this myself, however from a quick search of the mailing
list I was unable to find a description of the Argus strategy for
packet loss measurement and think that a precise description might be
of value on the NSM wiki.

However my real question is this: Is there some way of asserting a
filter along the lines of "src vid != dst vid" so that I see only
inter-VLAN flows as I'm not interested in seeing the inter-subnet
traffic on "shared networks"?


Many thanks,

Tez
Permalink | Reply | 2 comments |
headers
Terry Burton | 6 Aug 2008 01:17
Picon
Favicon

Re: Possible to filter on src vid != dst vid?

On Tue, Aug 5, 2008 at 12:51 PM, Carter Bullard <carter <at> qosient.com> wrote:
> The numbers don't look quite right, but you never know with loss.
<...snip...>

Hi Carter,

Thanks for your response regarding packet loss calculations. I'll look
forward to looking into this more thoroughly when I return from an
imminent holiday in two weeks time.

> If you want more detail, just ask questions on the list.  If I can't answer, somebody else may chime in :o)

I'd just like to repeat a part of my original email that went
unaddressed regarding filtering using comparison operators on VLAN
tags.

> -----Original Message-----
> From: "Terry Burton" <tez <at> terryburton.co.uk>
>
> Date: Tue, 5 Aug 2008 11:35:24
> To: Argus<argus-info <at> lists.andrew.cmu.edu>
> Subject: [ARGUS] Possible to filter on src vid != dst vid?
<...snip...>
> However my real question is this: Is there some way of asserting a
> filter along the lines of "src vid != dst vid" so that I see only
> inter-VLAN flows as I'm not interested in seeing the inter-subnet
> traffic on "shared networks"?

Thanks again for your reply.

All the best,

Tez
Permalink | Reply | 1 comment |
headers
Carter Bullard | 6 Aug 2008 02:00

Re: Possible to filter on src vid != dst vid?

Hey Tez,
Currently we don't do filters like "src vid neq dst vid", but I can  
always add
more filters, so I'll look into this.  Please send email when you get  
back,
and hopefully I'll have a solution.

Carter

On Aug 5, 2008, at 7:17 PM, Terry Burton wrote:

> On Tue, Aug 5, 2008 at 12:51 PM, Carter Bullard <carter <at> qosient.com>  
> wrote:
>> The numbers don't look quite right, but you never know with loss.
> <...snip...>
>
> Hi Carter,
>
> Thanks for your response regarding packet loss calculations. I'll look
> forward to looking into this more thoroughly when I return from an
> imminent holiday in two weeks time.
>
>> If you want more detail, just ask questions on the list.  If I  
>> can't answer, somebody else may chime in :o)
>
> I'd just like to repeat a part of my original email that went
> unaddressed regarding filtering using comparison operators on VLAN
> tags.
>
>> -----Original Message-----
>> From: "Terry Burton" <tez <at> terryburton.co.uk>
>>
>> Date: Tue, 5 Aug 2008 11:35:24
>> To: Argus<argus-info <at> lists.andrew.cmu.edu>
>> Subject: [ARGUS] Possible to filter on src vid != dst vid?
> <...snip...>
>> However my real question is this: Is there some way of asserting a
>> filter along the lines of "src vid != dst vid" so that I see only
>> inter-VLAN flows as I'm not interested in seeing the inter-subnet
>> traffic on "shared networks"?
>
> Thanks again for your reply.
>
>
> All the best,
>
> Tez
>
Permalink | Reply | 0 comments |
headers
David | 15 Aug 2008 15:17

Order when reading pcap files

I read in a whole bunch of pcap files using argus, like so:

$ for file in *; do argus -r $file -w MyData.argus; done

However, these aren't guaranteed to be in date order.  Will that screw  
up argus at all?  If so, I can get an ordered list and read in  
properly, just wondering.

Also, is there an IRC channel for argus?

Regards,

David

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
Permalink | Reply | 3 comments |

Gmane