Ragator 'flows'

Russell Fulton r.fulton at auckland.ac.nz
Tue Jul 30 22:40:26 EDT 2002 

Hi, 
	I've started having a play with the flow modeling in ragator and for a
start I have tried to aggregate all tcp traffic by destination port
number.  All works as expected except that I get 10 records for each
port number.  see attachment (since I cant stop this stupid composer
from wrapping text....

Hmmmm... is there any straight forward way of distinguishing inbound and
out bound traffic?  I know how to do this with netramet but I suspect
that with ragator that I would have to have two flows one with source
address 130.216/16 and one with it as destination and then add the
source bytes from one to the dest bytes for the other.

Cheers, Russell

-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

"It ain't necessarily so"  - Gershwin
-------------- next part --------------
31 Jul 02 14:30:52   *E      tcp         0.0.0.0    *   ->           0.0.0.0.80    198309   301394    145847144    1654251360  RST
31 Jul 02 14:06:56   *E      tcp         0.0.0.0    *   ->           0.0.0.0.80    186741   244227    45900530     488350508   RST
31 Jul 02 14:26:53   *@      tcp         0.0.0.0    *   ->           0.0.0.0.80    179321   242341    129670672    1380412006  RST
31 Jul 02 14:10:53   *E      tcp         0.0.0.0    *   ->           0.0.0.0.80    175208   235167    61561853     671736467   RST
31 Jul 02 14:22:54   *@      tcp         0.0.0.0    *   ->           0.0.0.0.80    179452   236543    112386421    1196279979  RST
31 Jul 02 14:18:54   *@      tcp         0.0.0.0    *   ->           0.0.0.0.80    184937   238724    95287460     1018641910  RST
31 Jul 02 14:14:52   *@      tcp         0.0.0.0    *   ->           0.0.0.0.80    178751   229772    77932443     844876844   RST
31 Jul 02 14:34:51   *@      tcp         0.0.0.0    *   ->           0.0.0.0.80    161708   207499    161283606    1806084863  RST
31 Jul 02 13:58:59   *@      tcp         0.0.0.0    *   ->           0.0.0.0.80    149680   194404    14271096     149602429   RST
31 Jul 02 14:02:58   *@      tcp         0.0.0.0    *   ->           0.0.0.0.80    162116   198034    30065685     289835786   RST

#label   id    SrcCIDRAddr        DstCIDRAddr         Proto  SrcPort  DstPort   ModelList  Duration

Flow     100       *                  *                tcp      *        *        210        300


# TCP and UDP Flow Model Definitions
# label  id      SrcAddrMask     DstAddrMask      Proto  SrcPort  DstPort

Model    210    0.0.0.0         0.0.0.0            yes       no       yes

More information about the argus mailing list