1RAPATH(1) General Commands Manual RAPATH(1)
2
6 rapath - print traceroute path information from argus(8) data.
7
9 rapath [-A] [-M [ aspath [dist] | asnode ] ] [-m fields ] [raoptions]
10 [-- filter-expression]
11
13 Rapath reads argus data from an argus-data source, and generates the
14 path information that can be formulated from flows that experience ICMP
15 responses. When a packet cause the creation of an ICMP response, for
16 whatever reason, the intermediate node that generates the ICMP packet
17 is, by definition, on the path. Argus data perserves this intermediate
18 node address, and rapath uses this information to generate path infor‐
19 mation, for arbitrary IP network traffic. Rapath is principally
20 designed to recover traceroute.1 traffic, so that if a trace is done in
21 the network, argus will pick it up and record the intermediate nodes
22 and the RTT for the volleys. However the method is generalized such
23 that it also picks up routing loop conditions, when they exist in the
24 observed packet stream.
25 Rapath will generate argus flow records that have the src address, dst
27 address and src ttl of the transmitted packet, aggregated so that the
28 average duration, standard deviation, max and min rtt's are preserved.
29 The most accurate estimate of the actual Round-Trip Time (RTT) between
30 a src IP address and an ICMP based intermediate node is the MinDur
31 field. As the number of samples gets larger, the MinDur field
32 approaches the theoretical best case minimum RTT. RTT's above this
33 value, will include variations in network and device delay.
34 When using the optional racluster.1 style flow descriptors, path infor‐
36 mation to and from CIDR based network addresses can be calculated, so
37 that traces from and to multiple machines in the subnets can be grouped
38 together.
39 The output of rapath can be piped into ranonymize.1, in order to share
41 path performance information without divulging the actual addresses of
42 intermidate routers.
43
46 Rapath, like all ra based clients, supports a number of ra options
47 including filtering of input argus records through a terminating filter
48 expression. See ra(1) for a complete description of ra options. rap‐
49 ath(1) specific options are:
50 -A Draw a description of the path with a legend.
52 -M pathmodes
53 Supported pathmodes are:
54 node - print a series of nodes that represent the path (default).
55 addr - print the IP addresses, instead of node labels.
56 aspath [dist] - print the series of origin AS's along the path. Optional 'dist' adds the ttl range.
57 asnode - print the series of nodes, preceded with their AS's along the path.
58 -m fields
59 Specify modifications to the default flow identifiers. Supported
60 fields are:
61 srcid - the observation domain source identifier.
62 saddr[/len] - the source address, optionally as a CIDR address.
63 daddr[/len] - the destination address, optionally as a CIDR address.
64
66 A sample invocation of rapath(1). This call reads argus(8) data from
67 inputfile and generates any path information, based on src and dst IP
68 addresses, and writes the results to stdout.
69 % rapath -r inputfile
72 SrcId SrcAddr Dir DstAddr Inode sTtl Mean StdDev Max Min Trans
74 192.168.0.68 192.168.0.68 -> 128.2.42.10 192.168.0.1 1 0.000686 0.000037 0.000764 0.000627 18
75 192.168.0.68 192.168.0.68 -> 128.2.42.10 10.22.96.1 2 0.009329 0.002719 0.019935 0.007435 18
76 192.168.0.68 192.168.0.68 -> 128.2.42.10 208.59.246.2 3 0.010686 0.002619 0.020175 0.007698 18
77 192.168.0.68 192.168.0.68 -> 128.2.42.10 207.172.15.85 4 0.013988 0.007116 0.032652 0.008923 11
78 192.168.0.68 192.168.0.68 -> 128.2.42.10 207.172.15.67 4 0.010188 0.000218 0.010676 0.009932 7
79 192.168.0.68 192.168.0.68 -> 128.2.42.10 198.32.118.161 5 0.010865 0.003557 0.019436 0.007937 18
80 192.168.0.68 192.168.0.68 -> 128.2.42.10 64.57.20.251 6 0.044649 0.008916 0.076137 0.039844 18
81 192.168.0.68 192.168.0.68 -> 128.2.42.10 64.57.21.146 7 0.056345 0.003985 0.065643 0.053371 18
82 192.168.0.68 192.168.0.68 -> 128.2.42.10 147.73.16.120 8 0.052594 0.003037 0.061770 0.050151 18
83 192.168.0.68 192.168.0.68 -> 128.2.42.10 128.2.255.249 9 0.055147 0.002541 0.064620 0.053151 18
84 192.168.0.68 192.168.0.68 -> 128.2.42.10 128.2.255.212 10 0.051835 0.000326 0.052362 0.051392 9
85 192.168.0.68 192.168.0.68 -> 128.2.42.10 128.2.255.205 10 0.054236 0.000658 0.055198 0.053028 9
86 The output of rapath is an argus data stream, and can be written to a
88 file, or piped to other programs for processing. The resulting stream
89 is a clustered data stream ordered by the unique " saddr -> daddr "
90 paths.
91 The next sample invocation of rapath(1) prints out a graph of the path
93 information using letters as index, with the node information provided
94 as reference.
95 % rapath -Ar inputfile
98 192.168.0.68(192.168.0.68::128.2.42.10) A -> B -> C -> {D,E} -> F -> G -> H -> I -> J -> {K,L}
100 Node SrcId SrcAddr Dir DstAddr Inode sTtl Mean StdDev Max Min Trans
101 A 192.168.0.68 192.168.0.68 -> 128.2.42.10 192.168.0.1 1 0.000686 0.000037 0.000764 0.000627 18
102 B 192.168.0.68 192.168.0.68 -> 128.2.42.10 10.22.96.1 2 0.009329 0.002719 0.019935 0.007435 18
103 C 192.168.0.68 192.168.0.68 -> 128.2.42.10 208.59.246.2 3 0.010686 0.002619 0.020175 0.007698 18
104 D 192.168.0.68 192.168.0.68 -> 128.2.42.10 207.172.15.85 4 0.013988 0.007116 0.032652 0.008923 11
105 E 192.168.0.68 192.168.0.68 -> 128.2.42.10 207.172.15.67 4 0.010188 0.000218 0.010676 0.009932 7
106 F 192.168.0.68 192.168.0.68 -> 128.2.42.10 198.32.118.161 5 0.010865 0.003557 0.019436 0.007937 18
107 G 192.168.0.68 192.168.0.68 -> 128.2.42.10 64.57.20.251 6 0.044649 0.008916 0.076137 0.039844 18
108 H 192.168.0.68 192.168.0.68 -> 128.2.42.10 64.57.21.146 7 0.056345 0.003985 0.065643 0.053371 18
109 I 192.168.0.68 192.168.0.68 -> 128.2.42.10 147.73.16.120 8 0.052594 0.003037 0.061770 0.050151 18
110 J 192.168.0.68 192.168.0.68 -> 128.2.42.10 128.2.255.249 9 0.055147 0.002541 0.064620 0.053151 18
111 K 192.168.0.68 192.168.0.68 -> 128.2.42.10 128.2.255.212 10 0.051835 0.000326 0.052362 0.051392 9
112 L 192.168.0.68 192.168.0.68 -> 128.2.42.10 128.2.255.205 10 0.054236 0.000658 0.055198 0.053028 9
113 the path. Because network paths can be divergent, due to routing
116 changes, load balancing, or redirects, multiple nodes can be observed
117 at the same distance along the path. rapath(1) uses '{' and '}' to
118 delimit the set of nodes that are observed at the same distance in the
119 path. Letters in the path are references to inode addresses contained
120 in the actual node records.
121 The next sample invocation of rapath(1) prints out just a graph of the
124 path information in two sets of argus data; today's and last month, to
125 highlight how paths change. ASN information is added to the records,
126 to show how rapath(1) depicts ASN relationships, using a -f rala‐
127 bel.conf(5) option.
128 The -q option suppresses the default output of the actual argus record
130 data compiled for each node along the path. The '[' and ']' (brackets)
131 deliniate AS's and will contain the set of nodes that were observed
132 within the same AS.
133 % rapath -f ralabel.conf -qA -r inputfile
135 192.168.0.68(192.168.0.68::128.2.42.10) A -> [B] -> [C -> {D,E}] -> [F] -> [G -> H] -> [I] -> [J -> {K,L}]
136 % rapath -f ralabel.conf -qA -r inputfile.last.month
138 192.168.0.68(192.168.0.68::128.2.42.10) A -> [B] -> [C -> D] -> [E -> F -> G -> {H,I,J,K} -> {L,M,N} -> O -> P] -> [Q -> {R,S}]
139 This next sample invocation of rapath(1) prints out a graph of the
142 ASpath, the set of AS's that the network path traversed. The -q option,
143 again is used to suppress the output of the actual node information.
144 Where there is no AS number, possibly due to a private network or an
145 unregistered address space, letters are used to denote the node.
146 % rapath -f ralabel.conf -r inputfile -qA -M aspath
148 192.168.0.68(192.168.0.68::128.2.42.10) A -> AS30496 -> AS6079 -> AS1257 -> AS11164 -> AS5050 -> AS9
149 This sample invocation of rapath(1) prints out a graph of the ASpath,
152 suppressing the output of the actual node information (-q), and print‐
153 ing actual IP addresses, rather than node labels.
154 % rapath -f ralabel.conf -r inputfile -qA -M aspath addr
156 192.168.0.68(192.168.0.68::128.2.42.10) 192.168.0.1 -> AS30496 -> AS6079 -> AS1257 -> AS11164 -> AS5050 -> AS9
157 This sample invocation of rapath(1) prints out a graph of the ASpath,
160 with distance information, suppressing the output of the actual node
161 information (-q). This is the aspath output, but with distances in
162 TTL's for each entry specified.
163 % rapath -f ralabel.conf -r inputfile -qA -M aspath dist addr
165 192.168.0.68(192.168.0.68::128.2.42.10) 192.168.0.1:1 -> AS30496:2 -> AS6079:3-4 -> AS1257:5 -> AS11164:6-7 -> AS5050:8 -> AS9:9-10
166 This sample invocation of rapath(1) prints out a graph of the AS nodal
169 path, suppressing the output of the actual node information (-q).
170 % rapath -f ralabel.conf -r inputfile -qA -M asnode
172 192.168.0.68(192.168.0.68::128.2.42.10) AS30496:[A -> B] -> AS6079:[C -> {D,E}] -> AS1257:[F] -> AS11164:[G -> H] -> AS5050:[I] -> AS9:[J -> {K,L}]
173 % rapath -f ralabel.conf -r inputfile.last.month -qA -M asnode
176 192.168.0.68(192.168.0.68::128.2.42.10) A -> AS30496:[B] -> AS6079:[C -> D] -> AS3356:[E -> F -> G -> {H,I,J,K} -> {L,M,N} -> O -> P] -> AS9:[Q -> {R,S}]
177 This sample invocation of rapath(1) demonstrates how to use CIDR
180 address aggregation, using the -m option, to generate path performance
181 data from a class B subnet, to a class C subnet.
182 % rapath -f ralabel.conf -r inputfile -A -m saddr/16 daddr/24 - srcid 192.168.0.68
184 192.168.0.68(192.168.0.0/16::128.2.42.0/24) A -> [B] -> [C -> {D,E}] -> [F] -> [G -> H] -> [I] -> [J -> {K,L}]
186 Node SrcId SrcAddr Dir DstAddr Inode sTtl Mean StdDev Max Min Trans
187 A 192.168.0.68 192.168.0.0/16 -> 128.2.42.0/24 192.168.0.1 1 0.000686 0.000037 0.000764 0.000627 18
188 B 192.168.0.68 192.168.0.0/16 -> 128.2.42.0/24 10.22.96.1 2 0.009329 0.002719 0.019935 0.007435 18
189 C 192.168.0.68 192.168.0.0/16 -> 128.2.42.0/24 208.59.246.2 3 0.010686 0.002619 0.020175 0.007698 18
190 D 192.168.0.68 192.168.0.0/16 -> 128.2.42.0/24 207.172.15.85 4 0.013988 0.007116 0.032652 0.008923 11
191 E 192.168.0.68 192.168.0.0/16 -> 128.2.42.0/24 207.172.15.67 4 0.010188 0.000218 0.010676 0.009932 7
192 F 192.168.0.68 192.168.0.0/16 -> 128.2.42.0/24 198.32.118.161 5 0.010865 0.003557 0.019436 0.007937 18
193 G 192.168.0.68 192.168.0.0/16 -> 128.2.42.0/24 64.57.20.251 6 0.044649 0.008916 0.076137 0.039844 18
194 H 192.168.0.68 192.168.0.0/16 -> 128.2.42.0/24 64.57.21.146 7 0.056345 0.003985 0.065643 0.053371 18
195 I 192.168.0.68 192.168.0.0/16 -> 128.2.42.0/24 147.73.16.120 8 0.052594 0.003037 0.061770 0.050151 18
196 J 192.168.0.68 192.168.0.0/16 -> 128.2.42.0/24 128.2.255.249 9 0.055147 0.002541 0.064620 0.053151 18
197 K 192.168.0.68 192.168.0.0/16 -> 128.2.42.0/24 128.2.255.212 10 0.051835 0.000326 0.052362 0.051392 9
198 L 192.168.0.68 192.168.0.0/16 -> 128.2.42.0/24 128.2.255.205 10 0.054236 0.000658 0.055198 0.053028 9
199
202 Copyright (c) 2000-2016 QoSient. All rights reserved.
203
205 ra(1), rarc(5), ralabel.conf(5), argus(8),
208 Carter Bullard (carter@qosient.com).
210rapath 3.0.8 07 November 2000 RAPATH(1)