Ragator 'flows'

[Carter Bullard]

Hey Russell,
   You are getting 10 records because you have a status timer
of 300 seconds in your flow description.  They are coming out
of ragator sorted in an order other than startime, so it looks
a little confusing, but you are getting 5 minute status reports
on your aggregated flow.  If you want to process the whole file
and generate only one record per aggregated flow, you should
have the status timer field be 0. 

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street
Suite 18K
New York, New York 10022

+1 212 588-9133 Phone
+1 212 588-9134 Fax

> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu 
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of 
> Russell Fulton
> Sent: Tuesday, July 30, 2002 10:40 PM
> To: argus-info at lists.andrew.cmu.edu
> Subject: Ragator 'flows'
> 
> 
> 
> Hi, 
> 	I've started having a play with the flow modeling in 
> ragator and for a start I have tried to aggregate all tcp 
> traffic by destination port number.  All works as expected 
> except that I get 10 records for each port number.  see 
> attachment (since I cant stop this stupid composer from 
> wrapping text....
> 
> Hmmmm... is there any straight forward way of distinguishing 
> inbound and out bound traffic?  I know how to do this with 
> netramet but I suspect that with ragator that I would have to 
> have two flows one with source address 130.216/16 and one 
> with it as destination and then add the source bytes from one 
> to the dest bytes for the other.
> 
> Cheers, Russell
> 
> -- 
> Russell Fulton, Computer and Network Security Officer
> The University of Auckland,  New Zealand
> 
> "It ain't necessarily so"  - Gershwin
>