Time stamps in argus records
Carter Bullard
cbullard at nortelnetworks.com
Thu Sep 23 11:23:00 EDT 1999
Hey Russell,
Combining multiple Argus records that belong to the same flow
is done with raconnections(). Feed a days worth of argus records
into raconnections() and you should get single records for single
connections with the start and last timestamps correct.
Carter
> -----Original Message-----
> From: Russell Fulton [mailto:r.fulton at auckland.ac.nz]
> Sent: Thursday, September 23, 1999 12:24 AM
> To: argus at lists.andrew.cmu.edu
> Subject: Time stamps in argus records
>
>
> HI All,
> A quick query about the argus time stamps: I had assumed that
> for tcp traffic the start time was the start time for the
> session as a
> whole but on examining real output from ra I see I am clearly
> mistaken.
>
> So, what are the start and last times? Presumably the times for this
> particular argus record.
>
> I was looking for a way of detecting long running tcp
> sessions without
> going to the bother of maintaining state info in the script which
> postprocessed the ra output. I thought, that's easy just use -g but
> the longest time I got was aprox 2 minute. Then I had a look
> at the ra
> times for the sessions and realised they incremented each record.
>
> Sigh...
>
> Russell.
>
>
More information about the argus
mailing list