FW: Argus 2.0 wishes

Carter Bullard cbullard at nortelnetworks.com
Wed Mar 8 10:11:11 EST 2000 

 
-----Original Message-----
From: Neil Long [mailto:neil.long at computing-services.oxford.ac.uk] 
Sent: Wednesday, March 08, 2000 3:31 AM
To: Bullard, Carter [NYPAR:DS33:EXCH]
Subject: Re: Argus 2.0 wishes


Hello
I see what you mean - I will go play with some data. Feel free to forward my
mail to the list - I probably meant to originally (I started the compose in
the morning and hastily finished it before going home - usual day and I
would never bet against you having the same kind!
 
regards
Neil

-----Original Message-----
From: Carter Bullard < cbullard at nortelnetworks.com
<mailto:cbullard at nortelnetworks.com> >
To: 'Neil Long' < neil.long at computing-services.oxford.ac.uk
<mailto:neil.long at computing-services.oxford.ac.uk> >
Date: 07 March 2000 23:00
Subject: RE: Argus 2.0 wishes



Hey Neil, 
   Controlling the volume of output is a very 
interesting problem. There is one big way of 
decreasing output volume and that is to do Argus 
data aggregation.  It is very easy to merge Argus 
records, the sample application raconnections() 
does a specific type of aggregation.  raconnections() 
merges mutliple Argus records that belong to the same 
flow.  Say if you had 1 Billion Echo Argus records 
from host A to B in the same file, raconnections() 
would collapse them all into a single Argus record. 

   The real power of this type of aggregation comes 
when you redefine the flow model that is used 
to match the records.  A new program, lets say 
raggregate(), could provide a very flexible 
aggregation strategy that could reduce an entire 
Argus data file to a single record  (if that would 
be helpful). Say for instance, you want to 
collapse all records from subnet A to subnet B into 
a single argus record, but all the ping transactions 
you want to leave unmodified, because you want to 
calculate RTT's from the data.   This is really 
very easy and quite straightforward.  The only trick 
is what do you want the flow model definition file 
to look like.  An access control list type defintion 
would work rather well. 

   What type of default aggregation would be useful? 

Carter 

P.S. Mind if I resend this to the mailing list? 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20000308/e88622fa/attachment.html>

More information about the argus mailing list