Ok, really, the last one.....ragator question

[Wozz]

On Wed, Nov 14, 2001 at 07:22:32PM -0500, Carter Bullard wrote:
> 
> Hey Wozz,
>    The issue is the '?' in the direction indicator.
> Because argus is absolutely stateful, and it is saying
> that it doesn't know precisely who the source or the
> destination is (because it didn't see a SYN or a SYN_ACK
> before it saw the FIN).  With the '?' its saying that
> the src and dst assignments may not be reliable.
> 
>    What probably happened is that argus timed the original
> flow out, before the stray FIN came in, and because there
> is no flow cache, it treats the lone FIN without any
> context.
> 
>    There is a solution.  First pass your traffic through
> ragator with no configuration.  It will correct the '?'.
> If there was a flow that this FIN belongs to, and it gets
> loaded into ragator before the FIN record is loaded, then
> it will discover the correct direction and merge the FIN
> report into the parent flow.
> 

Ah ha!

I get it now.  It appears to work correctly now without all the extra
flows.   What determines when a flow gets timed out?  Is that in argus or
in my ragator config?  The command line I'm using now is:

ragator -r * -w - host a.b.c.d |ragator -w - -f fmodel.conf -r - |
rasort -s startime -n -r -

Is there any way to shorten this?  Is there some way to have make ragator
do its default aggregation first, then the defined flows, without running
ragator twice?