Ragator config file questions

Carter Bullard carter at qosient.com
Tue Sep 25 15:20:03 EDT 2001 

Ohhh, and I just realized one other thing,
your Model definitions are not preserving
the proto field.  You should make this mod

Model   201     0.0.0.0 255.255.255.255 yes     no      yes
Model   202     0.0.0.0 255.255.255.255 yes     no      yes
Model   203     0.0.0.0 255.255.255.255 yes     no      yes

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 588-9133
Fax   +1 212 588-9134
http://qosient.com


> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu 
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of Wozz
> Sent: Tuesday, September 25, 2001 3:08 PM
> To: argus-info at lists.andrew.cmu.edu
> Subject: Ragator config file questions
> 
> 
> Am I correct that there is no flowfile(5) man page yet?  
> Assuming so, perhaps someone could give me an idea of what 
> I'm doing wrong.
> 
> I'm trying to profile my network traffic in preparation for 
> putting firewall rules into an existing network.  I want to 
> aggregate the traffic so I can see what services are on my 
> network.  In other words, I don't want to see every single 
> mail transaction, just that there are mail transactions going 
> to this particular system.  I've setup a ragator config file as
> follows:
> 
> Flow    101     *       a.b.c.0:24  tcp     *       *       
> 201     300
> Flow    102     *       a.b.c.0:24  udp     *       *       
> 202     300
> Flow    103     *       a.b.c.0:24  icmp    *       *       
> 203     300
> Model   201     0.0.0.0 255.255.255.255 no      no      yes
> Model   202     0.0.0.0 255.255.255.255 no      no      yes
> Model   203     0.0.0.0 255.255.255.255 no      no      yes
> 
> The network my servers is on is a.b.c.0/24, but this doesn't 
> seem to accomplish what I want, when I run ragator as follows:
> 
> ragator -f rag.conf -r argusdata -
> 
> I just get what appears to be a print out of every 
> transaction, with no aggregation.  Does anyone have some idea 
> of how I could go about this?  I just want to get a good 
> picture of the services that are actually receiving traffic 
> on my network without duplicate records, ie one per service/server.
> 
> Help?
> 
> 
>

More information about the argus mailing list