Reconstituting flows
newton
newton at unb.ca
Wed Mar 27 12:07:39 EST 2002
Ahh, great, thats good to know. That makes the decision easier. :)
Chris
>===== Original Message From <carter at qosient.com> =====
>The commercial data is a superset of argus data,
>but at present, the freebie ra* programs read
>commercial data fine, however they can't read the
>enhanced data. That may change, since the commercial
>stuff isn't going to be in concrete for a few months
>still.
>
>Carter
>
>Carter Bullard
>QoSient, LLC
>300 E. 56th Street, Suite 18K
>New York, New York 10022
>
>carter at qosient.com
>Phone +1 212 588-9133
>Fax +1 212 588-9134
>http://qosient.com
>
>> -----Original Message-----
>> From: newton [mailto:newton at unb.ca]
>> Sent: Wednesday, March 27, 2002 11:07 AM
>> To: argus-info at lists.andrew.cmu.edu; carter at qosient.com
>> Subject: RE: Reconstituting flows
>>
>>
>> Thanks Carter. Yup, the commercial version is definatly what
>> I will be moving
>> towards. Right now, unfortunatly, isn't quite the right
>> time... as much as
>> I'd like it to be. Also, is the flow format a little
>> different in the
>> commercial version? That was one of my other concerns (ie:
>> if it is diff, I
>> need time to do integration/changes to the new argii, and testing).
>>
>> Thanks for the comments on ragator... that what I, during
>> my sleepy sleepy
>> time last night, was thinking might be my answer.
>>
>> Thanks!
>>
>> Chris
>>
>> >===== Original Message From <carter at qosient.com> =====
>> >Hey Chris,
>> >If you have two argi looking at each side of the
>> >pipe, you will generate two argus data streams of
>> >half-duplex flow reports. You can merge these
>> >half-duplex argus records back together using ragator,
>> >just as ragator merges netflow records into the single
>> full-duplex flow
>> >report. Because ragator can connect to two argus sources in
>> real-time,
>> >you can do the
>> >reconstitution on the fly. The required ragator
>> >configuration file will take a bit of tuning, but it
>> >is more than doable.
>> >
>> >CMU is testing a collector that is designed to be much
>> >better than the freebie ragator at load. That code
>> >is part of the commercial argus effort and may eventually
>> >be what your looking for.
>> >
>> >
>> >Carter
>> >
>> >Carter Bullard
>> >QoSient, LLC
>> >300 E. 56th Street, Suite 18K
>> >New York, New York 10022
>> >
>> >carter at qosient.com
>> >Phone +1 212 588-9133
>> >Fax +1 212 588-9134
>> >http://qosient.com
>> >
>> >> -----Original Message-----
>> >> From: owner-argus-info at lists.andrew.cmu.edu
>> >> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of newton
>> >> Sent: Wednesday, March 27, 2002 8:48 AM
>> >> To: argus-info at lists.andrew.cmu.edu
>> >> Subject: Reconstituting flows
>> >>
>> >>
>> >> Hi all. If I have a big fat pipe I want to monitor, and I am
>> >> wondering if it might be better if I buy two boxes, and a
>> tap to do
>> >> the work. With the tap, I
>> >> would split off both sides of the full duplex connection and
>> >> send each side of
>> >> that conenction to a single box running argus. My question
>> >> is, when Argus
>> >> builds flows out of these on both boxes, how can I 'reconnect', or
>> >> reconstitute these flows back into 1 flow?
>> >>
>> >> Anyone got any ideas?
>> >>
>> >> Thanks
>> >>
>> >> Chris
>> >>
>> >>
>> >>
>> >>
>>
>>
>>
>>
More information about the argus
mailing list