Ragator config file questions

Tue Sep 25 15:33:04 EDT 2001

Ahhhhhhhhhh,
If records don't match a Flow descriptor then they
are passed through without any aggregation.  No rule,
no aggregation.  You either need to filter the input,
or put in a catch all Flow model, and an aggregate
all Model definition.

Flow  104  * * * * *  204 10000000
Model 204  0.0.0.0 0.0.0.0 no no no

That should help!

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 588-9133
Fax   +1 212 588-9134
http://qosient.com

> -----Original Message-----
> From: Wozz [mailto:wozz+argus at wookie.net] 
> Sent: Tuesday, September 25, 2001 3:25 PM
> To: Carter Bullard
> Cc: argus-info at lists.andrew.cmu.edu
> Subject: Re: Ragator config file questions
> 
> 
> On Tue, Sep 25, 2001 at 03:20:03PM -0400, Carter Bullard wrote:
> > Ohhh, and I just realized one other thing,
> > your Model definitions are not preserving
> > the proto field.  You should make this mod
> > 
> > Model   201     0.0.0.0 255.255.255.255 yes     no      yes
> > Model   202     0.0.0.0 255.255.255.255 yes     no      yes
> > Model   203     0.0.0.0 255.255.255.255 yes     no      yes
> > 
> 
> Nope, neither of those seemed to fix it.  Another thing I've 
> noticed is that records with destinations outside my network 
> are getting reported too:
> 
> 25 Sep 01 14:53:47    tcp    a.b.c.18.35958  ->     209.125.127.5.25
> FIN
> 
> Am I misunderstanding something, or shoudl that not be 
> reported, since I'm asking only for destination's on my 
> network (209.125.127.5 is not on my
> network)
> 