FlowScan w/argus?
Dave Plonka
plonka at doit.wisc.edu
Fri Jan 11 16:09:16 EST 2002
On Wed, Jan 09, 2002 at 04:48:48PM -0500, Carter Bullard wrote:
> Ok, lets get terminology down so we can communicate effectively.
> Argus generates argus records, ra* programs collect, aggregate
> process and manage streams, files, archives of argus data.
Ah, now I see what you mean. Previously, in my Cflow and FlowScan
documentation, I referred to any software package that wrote raw flow
records to files as a "flow collector", which doesn't match the argus
terminology.
Perhaps I'll change my documentation to refer to "cflowd", flow-tools'
"flow-capture", and "argus" as "flow file sources", since they can each
be the source of the time-stamped raw flow files that are input to
FlowScan.
> You want to work with a ra* (read argus)* style program.
OK, things are coming along pretty well. I have a working version of
the Cflow perl module now that can read "argus.out" files directly and
grok argus records. I'll release it (announcing in this list) after I
do some more testing.
There is one bit I haven't figured out yet:
In my "process_icmp" call-back function, I found the "forward" ICMP
type and code (src -> dst) but not the "reverse" (dst -> src) type and
code in the argus record.
When process_icmp handles an argus record with a non-zero
argus->argus_far.dst.count, does that count always represent ECHOREPLY
packets? Or are there sometimes other ICMP types that are counted from
dst -> src?
To ask another way, does Argus store any kinds of ICMP flows other than
ECHO/ECHOREPLY bidirectionally? From my reading of the "raxml.c" code,
I only see it referring to a single ICMP type and code value per
argus_far structure. Is ECHOREPLY implied for the dst -> src count?
Thanks,
Dave
--
plonka at doit.wisc.edu http://net.doit.wisc.edu/~plonka ARS:N9HZF Madison, WI
More information about the argus
mailing list