Argus Flow Timeout Issues
Carter Bullard
carter at qosient.com
Thu Dec 20 09:24:58 EST 2001
Hey Wozz,
Sorry, I missed replying to your mail!!
ragator() is the tool for you, it was designed
to extend the timeouts on a port basis, and
just about any basis that seems reasonable.
In my low speed environments, I have argus
generate records every second, and the I use
ragator to zip up the long records the next
day, or at the end of the week, when I archive
the data files.
Carter
Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York 10022
carter at qosient.com
Phone +1 212 588-9133
Fax +1 212 588-9134
http://qosient.com
> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of Wozz
> Sent: Monday, December 10, 2001 11:52 PM
> To: Carter Bullard
> Cc: argus-info at lists.andrew.cmu.edu
> Subject: Re: Argus Flow Timeout Issues
>
>
> On Thu, Nov 15, 2001 at 09:31:56AM -0500, Carter Bullard wrote:
> >
> > IP fragments - 5 seconds
> >
> > IGMP flows - 300 seconds
> > ARP flows - 300 seconds
> > Unknown protocol - 300 seconds
> >
> > Initial TCP flows - 15 seconds
> > Initial UDP flows - 15 seconds
> > Initial ESP flows - 15 seconds
> > Initial ICMP flows - 15 seconds
> >
> > All established flows - 300 seconds
> >
> > TCP closed - 10 seconds
> >
> >
>
> I've been thinking about this more. These values work great
> for short lived connections (HTTP, POP, etc) but not so well
> for longer lived connections (ssh, and several other
> applications on my networks). It might be useful to make
> these tweakable on a per-port basis. IE, I can set the
> default for established flows to be 300, but I could define
> that flows going to port 22 last 3600 seconds. I suppose this
> will result in higher memory usage, but if you only define
> those flows that you know are going to be longer lived, it
> shouldn't be too significant. Any thoughts?
>
>
More information about the argus
mailing list