latest watcher script <fwd>

[Carter Bullard]

Sorry for the confusion!
Argus doesn't do the merging, its racompress().
racompress() has some options that allow you to merge
argus records together that have partial flow matches.
This allows you to, say, merge all the TCP connections
going to port 80 from A to B, together.  Since they only
differ by the source port, the source port number needs
to reflect that it is not valid, and a zero port number
is invalid.  This type of merging allows for very good
data reduction.

We are going to emphasize this in Argus-2.0.

Hope this clears things up,

Carter


-----Original Message-----
From: owner-argus at lists.andrew.cmu.edu
[mailto:owner-argus at lists.andrew.cmu.edu]On Behalf Of Russell Fulton
Sent: Sunday, August 06, 2000 7:44 PM
To: 'Argus (E-mail)'
Subject: Re: RE: latest watcher script <fwd>



On Fri, 4 Aug 2000 22:05:24 -0400 Carter Bullard <carter at qosient.com> 
wrote:

> Hey Russell,
>    The '*' means that the port value is zero.  We use
> zero when we merge Argus records together, so for ra()
> a zero in a port field could represent a real zero or
> a condition where it was several numbers merged together.
> So we report a meta-character rather than the value.
> 

Hmmm.. I'm a bit confused as to why argus would merge udp records with 
different port numbers.  Given that argus does merge records then 
surely it would be more sensible to have 0 represent a real zero and 
use '*' to represent merged records.

Are there argus options that affect the merging of records?  (this 
would explain why I don't see these records here).

Cheers, Russell.