ragator default aggregation strategy

Carter Bullard carter at qosient.com
Wed Nov 14 14:19:49 EST 2001 

Hey Wozz,
The default aggregation strategy would be written as:

#
#label  id  SrcCIDRAddr DstCIDRAddr  Proto  SrcPort  DstPort   ModelList
Duration
Flow   100       *          *          *       *        *         200
0

#label  id      SrcAddrMask     DstAddrMask      Proto  SrcPort  DstPort
Model  200   255.255.255.255  255.255.255.255    yes     yes      yes

This rule will aggregate flows that have the same flow descriptors, so
as an example, for a single TCP flow that lasts long enough for Argus
to generate multiple records for the same flow, this model will
aggregate
only those records that match the single TCP record.  There is no
consideration for state, however, so there could be some situations
where
multiple TCP's are actually merged into one record, but most of the
time,
that is what you want anyway.

I think a duration of zero means don't time it out, but if this isn't
right
then Duration should have a very large number in it.

If something doesn't match, it is passed through ragator() unaltered. 
If you can't filter out the records that you are not interested in, then
construct a Flow descriptor that matches this boring data, and then have
that Flow reference a Model that does not perserve any fields. This will
allow you to pick the aggregate out of the resulting ragator stream,
and either tally it or drop it.

Hope this helps,

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 588-9133
Fax   +1 212 588-9134
http://qosient.com



> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu 
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of Wozz
> Sent: Wednesday, November 14, 2001 1:58 PM
> To: argus-info at lists.andrew.cmu.edu
> Subject: ragator default aggregation strategy
> 
> 
> Greetings,
> 
>   I'm curious how ragator's default aggregation strategy 
> would be expressed in
> flowfile(5) syntax.  What I'm trying to do is filter out 
> known 'good' traffic flows, and then have the rest of the 
> traffic aggregated as ragator normally does.  If something is 
> not matched in a flowfile statement, is it aggregated as 
> ragator normally does?  If not, how would I configure the 
> flowfile to do so. Thanks!
> 
> Matt
> 
>

More information about the argus mailing list