Ragator config file questions

Wozz wozz+argus at wookie.net
Tue Sep 25 15:08:07 EDT 2001


Am I correct that there is no flowfile(5) man page yet?  Assuming so,
perhaps someone could give me an idea of what I'm doing wrong.

I'm trying to profile my network traffic in preparation for putting
firewall rules into an existing network.  I want to aggregate the traffic
so I can see what services are on my network.  In other words, I don't want
to see every single mail transaction, just that there are mail transactions
going to this particular system.  I've setup a ragator config file as
follows:

Flow    101     *       a.b.c.0:24  tcp     *       *       201     300
Flow    102     *       a.b.c.0:24  udp     *       *       202     300
Flow    103     *       a.b.c.0:24  icmp    *       *       203     300
Model   201     0.0.0.0 255.255.255.255 no      no      yes
Model   202     0.0.0.0 255.255.255.255 no      no      yes
Model   203     0.0.0.0 255.255.255.255 no      no      yes

The network my servers is on is a.b.c.0/24, but this doesn't seem to
accomplish what I want, when I run ragator as follows:

ragator -f rag.conf -r argusdata -

I just get what appears to be a print out of every transaction, with no
aggregation.  Does anyone have some idea of how I could go about this?  I
just want to get a good picture of the services that are actually receiving
traffic on my network without duplicate records, ie one per service/server.

Help?



More information about the argus mailing list