FlowScan w/argus?
Dave Plonka
plonka at doit.wisc.edu
Wed Jan 9 18:54:11 EST 2002
On Wed, Jan 09, 2002 at 04:48:48PM -0500, Carter Bullard wrote:
> Hey Dave,
> Ok, lets get terminology down so we can communicate effectively.
> Argus generates argus records, ra* programs collect, aggregate
> process and manage streams, files, archives of argus data.
Sorry if was I running fast and loose with argus terminology...
> You want to work with a ra* (read argus)* style program.
OK. I'll take a look.
> Why don't we just write an argusfile -> flowfile converter.
That's one way to go, but that will actually be one of the side effects
of what I proposed with the perl Cflow module, since Cflow can produce
raw cflowd format files. We would be able to convert it like this:
$ flowdumper -r argus.out > argus.cflowd
However, the cflowd format leaves some things to be desired. For
instance, it discards sub-second timestamp granularity, so it would be
a lossy conversion.
There is a precedent for Cflow reading the argus records directly,
since that is how I added flow-tools support - by reading flow-tools
NetFlow file-format directly using its API.
Also, to keep things simple for end-users, another filter process that
would have to look for new files to appear and run between the
collection and analysis of any given file, might not be so nice, except
for maybe Rube Goldberg.
Dave
--
plonka at doit.wisc.edu http://net.doit.wisc.edu/~plonka ARS:N9HZF Madison, WI
More information about the argus
mailing list