Ragator config file questions

Carter Bullard carter at qosient.com
Tue Sep 25 15:18:01 EDT 2001 

Hey Wozz,
   The problem may be in the 300 that you have at the end
of your flow id lines.  This tells ragator how long
(in seconds) it should hold the aggregated record in its
cache before it flushes.  If you want to aggregate all
the records for a 24 hour period, for instance, this number
should be 86400.

   Generally, I have this number really big, because I
want the input to define the scope of the aggregation.
In other words, if I feed ragator() an entire month's
worth of records, I usually want it to aggregate it over
the whole month range.  But that's just me.

   Give a large number a try, and if that doesn't do it
maybe there's a bug.


Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 588-9133
Fax   +1 212 588-9134
http://qosient.com

> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu 
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of Wozz
> Sent: Tuesday, September 25, 2001 3:08 PM
> To: argus-info at lists.andrew.cmu.edu
> Subject: Ragator config file questions
> 
> 
> Am I correct that there is no flowfile(5) man page yet?  
> Assuming so, perhaps someone could give me an idea of what 
> I'm doing wrong.
> 
> I'm trying to profile my network traffic in preparation for 
> putting firewall rules into an existing network.  I want to 
> aggregate the traffic so I can see what services are on my 
> network.  In other words, I don't want to see every single 
> mail transaction, just that there are mail transactions going 
> to this particular system.  I've setup a ragator config file as
> follows:
> 
> Flow    101     *       a.b.c.0:24  tcp     *       *       
> 201     300
> Flow    102     *       a.b.c.0:24  udp     *       *       
> 202     300
> Flow    103     *       a.b.c.0:24  icmp    *       *       
> 203     300
> Model   201     0.0.0.0 255.255.255.255 no      no      yes
> Model   202     0.0.0.0 255.255.255.255 no      no      yes
> Model   203     0.0.0.0 255.255.255.255 no      no      yes
> 
> The network my servers is on is a.b.c.0/24, but this doesn't 
> seem to accomplish what I want, when I run ragator as follows:
> 
> ragator -f rag.conf -r argusdata -
> 
> I just get what appears to be a print out of every 
> transaction, with no aggregation.  Does anyone have some idea 
> of how I could go about this?  I just want to get a good 
> picture of the services that are actually receiving traffic 
> on my network without duplicate records, ie one per service/server.
> 
> Help?
> 
> 
>

More information about the argus mailing list