Argus Flow Timeout Issues
Wozz
wozz+argus at wookie.net
Mon Dec 10 23:52:05 EST 2001
On Thu, Nov 15, 2001 at 09:31:56AM -0500, Carter Bullard wrote:
>
> IP fragments - 5 seconds
>
> IGMP flows - 300 seconds
> ARP flows - 300 seconds
> Unknown protocol - 300 seconds
>
> Initial TCP flows - 15 seconds
> Initial UDP flows - 15 seconds
> Initial ESP flows - 15 seconds
> Initial ICMP flows - 15 seconds
>
> All established flows - 300 seconds
>
> TCP closed - 10 seconds
>
>
I've been thinking about this more. These values work great for
short lived connections (HTTP, POP, etc) but not so well for longer
lived connections (ssh, and several other applications on my
networks). It might be useful to make these tweakable on a per-port
basis. IE, I can set the default for established flows to be 300,
but I could define that flows going to port 22 last 3600 seconds.
I suppose this will result in higher memory usage, but if you only
define those flows that you know are going to be longer lived, it
shouldn't be too significant. Any thoughts?
More information about the argus
mailing list