Reconstituting flows

Carter Bullard carter at qosient.com
Wed Mar 27 11:00:36 EST 2002 

The commercial data is a superset of argus data,
but at present, the freebie ra* programs read
commercial data fine, however they can't read the
enhanced data.  That may change, since the commercial
stuff isn't going to be in concrete for a few months
still.

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 588-9133
Fax   +1 212 588-9134
http://qosient.com

> -----Original Message-----
> From: newton [mailto:newton at unb.ca] 
> Sent: Wednesday, March 27, 2002 11:07 AM
> To: argus-info at lists.andrew.cmu.edu; carter at qosient.com
> Subject: RE: Reconstituting flows
> 
> 
> Thanks Carter.  Yup, the commercial version is definatly what 
> I will be moving 
> towards.  Right now, unfortunatly, isn't quite the right 
> time... as much as 
> I'd like it to be.  Also, is the flow format a little 
> different in the 
> commercial version?  That was one of my other concerns (ie: 
> if it is diff, I 
> need time to do integration/changes to the new argii, and testing).
> 
>   Thanks for the comments on ragator... that what I, during 
> my sleepy sleepy 
> time last night, was thinking might be my answer.
> 
> Thanks!
> 
> Chris
> 
> >===== Original Message From <carter at qosient.com> =====
> >Hey Chris,
> >If you have two argi looking at each side of the
> >pipe, you will generate two argus data streams of
> >half-duplex flow reports.  You can merge these
> >half-duplex argus records back together using ragator,
> >just as ragator merges netflow records into the single 
> full-duplex flow 
> >report.  Because ragator can connect to two argus sources in 
> real-time, 
> >you can do the
> >reconstitution on the fly.   The required ragator
> >configuration file will take a bit of tuning, but it
> >is more than doable.
> >
> >CMU is testing a collector that is designed to be much
> >better than the freebie ragator at load.  That code
> >is part of the commercial argus effort and may eventually
> >be what your looking for.
> >
> >
> >Carter
> >
> >Carter Bullard
> >QoSient, LLC
> >300 E. 56th Street, Suite 18K
> >New York, New York  10022
> >
> >carter at qosient.com
> >Phone +1 212 588-9133
> >Fax   +1 212 588-9134
> >http://qosient.com
> >
> >> -----Original Message-----
> >> From: owner-argus-info at lists.andrew.cmu.edu
> >> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of newton
> >> Sent: Wednesday, March 27, 2002 8:48 AM
> >> To: argus-info at lists.andrew.cmu.edu
> >> Subject: Reconstituting flows
> >>
> >>
> >> Hi all.  If I have a big fat pipe I want to monitor, and I am 
> >> wondering if it might be better if I buy two boxes, and a 
> tap to do 
> >> the work.  With the tap, I
> >> would split off both sides of the full duplex connection and
> >> send each side of
> >> that conenction to a single box running argus.  My question
> >> is, when Argus
> >> builds flows out of these on both boxes, how can I 'reconnect', or
> >> reconstitute these flows back into 1 flow?
> >>
> >>  Anyone got any ideas?
> >>
> >> Thanks
> >>
> >> Chris
> >>
> >>
> >>
> >>
> 
> 
> 
>

More information about the argus mailing list