Reconstituting flows

[Carter Bullard]

Hey Chris,
If you have two argi looking at each side of the
pipe, you will generate two argus data streams of
half-duplex flow reports.  You can merge these
half-duplex argus records back together using ragator,
just as ragator merges netflow records into the single
full-duplex flow report.  Because ragator can connect
to two argus sources in real-time, you can do the
reconstitution on the fly.   The required ragator
configuration file will take a bit of tuning, but it
is more than doable.

CMU is testing a collector that is designed to be much
better than the freebie ragator at load.  That code
is part of the commercial argus effort and may eventually
be what your looking for.


Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 588-9133
Fax   +1 212 588-9134
http://qosient.com

> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu 
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of newton
> Sent: Wednesday, March 27, 2002 8:48 AM
> To: argus-info at lists.andrew.cmu.edu
> Subject: Reconstituting flows
> 
> 
> Hi all.  If I have a big fat pipe I want to monitor, and I am 
> wondering if it 
> might be better if I buy two boxes, and a tap to do the work. 
>  With the tap, I 
> would split off both sides of the full duplex connection and 
> send each side of 
> that conenction to a single box running argus.  My question 
> is, when Argus 
> builds flows out of these on both boxes, how can I 'reconnect', or 
> reconstitute these flows back into 1 flow?
> 
>  Anyone got any ideas?
> 
> Thanks
> 
> Chris
> 
> 
> 
>