latest watcher script <fwd>
Russell Fulton
r.fulton at auckland.ac.nz
Sun Aug 6 22:40:26 EDT 2000
On Sun, 6 Aug 2000 22:08:48 -0400 Carter Bullard
<chellyaz at bellatlantic.net> wrote:
> Sorry for the confusion!
> Argus doesn't do the merging, its racompress().
> racompress() has some options that allow you to merge
> argus records together that have partial flow matches.
> This allows you to, say, merge all the TCP connections
> going to port 80 from A to B, together. Since they only
> differ by the source port, the source port number needs
> to reflect that it is not valid, and a zero port number
> is invalid. This type of merging allows for very good
> data reduction.
>
Ahh... I see. In that case can I suggest two separate flag bits to say
that src or dst port is agregated and set the port to zero so we can
distinguish a real 0 port and an agregated flow. I see a steady trickle
of tcp packets with one or other of the ports set to zero (it trips up
one of my other scripts so I now print them out whenever I come across
them). It would appear that that Neil is seeing UDP packets with 0
destination ports too.
> We are going to emphasize this in Argus-2.0.
>
Careful Carter, You'll end up reinventing NeTraMet ;-) ;-)
BTW we have this rather neat language for defining network flows...
Cheers, Russell.
More information about the argus
mailing list