Timeranges

Carter Bullard carter at qosient.com
Fri Feb 13 10:31:49 EST 2004 

Hey Steve,
Sorry for the delayed response, I was on the road.
Yes if we can decide what we want we can make changes.
Although my time, as I'm sure you've all guessed, is very thin.

Argus will immediately start building flow records based on
any packets that it sees, so it will report flows starting
in the middle, if they exist when Argus starts up.  For
many UDP based flows, there isn't really a state that would
indicate what 'the middle' is, so argus just reports what
it sees.

For flows like TCP, if we start in the middle, argus will
indicate that in the record.  Ra() will print out a '?' in
the direction field for these records, since we won't know
who the real source/destination are.

As for the time range issues, I'll follow up to Andrew's
mail with some detail on that.

Hope this helps,

Carter




-----Original Message-----
From: owner-argus-info at lists.andrew.cmu.edu
[mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of Steve McInerney
Sent: Wednesday, February 11, 2004 12:07 AM
To: Peter Van Epp
Cc: argus-info at lists.andrew.cmu.edu; Andrew Pollock
Subject: Re: Timeranges

Perhaps the best option, from Carters perspective might be an actual
patch submission. ;-)

But I would agree here Peter, being able to include flows that only
started and finished within a time range be appropriate. And thanks for
the reminder of the flows/timing!


Perhaps, on further reflection, it might be appropriate to even go so
far as to ignore the split flows in this context. ie exclude that
portion of any flow which lies outside the time range; fractional flows
if that's clearer. I'm unsure how this would work at the detail level
with argus as it currently stands tho?
To a large extent it would depend on how one wishes to use the end data.
Is it a raw size count?; Or the flows themselves that are of interest?

The intended end result should be looked at in more detail?

I can make an educated guess as to which Andrew would prefer, but it
would be more appropriate for him to enlarge IMHO.



Come to think of it - how DOES argus deal with split flows - for example
at startup? Does it simply ignore any already happening sessions?


- Steve

Peter Van Epp wrote:
>         You will indeed have overlaps at the boundary. The time range
command
> accepts any flow that intersects the time range (i.e. starts before but
ends
> after the selected start time, or starts before the end time and ends
after
> the end time). This means that flows that cross the boundary either way
will
> be included in both sections. You would probably need to write something
that
> detected such flows and deleted them in one record or the other.
> 	The simple solution of course would be to change your cron job for
> future entries to cut the interval in half and stick the two segements
> together in ra to process a whole day's records as you used to do before
it
> got too large. That should avoid the split problem entirely with current
> technology.
>         Another option would be to convince Carter to change the time
range
> command (possibly with a different flag) to something like a rule "if the
> start is in the time range include it, if it isn't don't (because it will
get
> picked up in the next split interval)" which would include the flow in
only one
> of the two split flows at the cost of a change in semantics. A new flag
may be
> in order because both options may be useful at different times since they
do
> slightly different things.
> 	We would need to think carefully about the boundary conditions
though
> to make sure it doesn't do something unexpected (at first thought I think
it
> should work though).
>
> Peter Van Epp / Operations and Technical Support
> Simon Fraser University, Burnaby, B.C. Canada
>
>
> On Wed, Feb 11, 2004 at 12:17:22PM +1000, Andrew Pollock wrote:
>
>>On Wed, Feb 11, 2004 at 12:56:50PM +1100, Steve McInerney wrote:
>>
>>>Hi Andrew,
>>>
>>>I've not done it for hours per se, but have done days. The ra man page
>>>gives the details on how to do hours as well. Just a minor modification.
>>>
>>>from my notes:
>>>ra -n -w ~/argus-oct.argus -t '2002/10/01-2002/10/31' -r
>>>/var/log/argus/argus.out.0.bz2 ?
>>
>>What I'm currently experimenting with is:
>>
>>ra -r 2003-12-01 -t 12/01.00-12
>>and
>>ra -r 2003-12-01 -t 12/01.12-24
>>
>>but I suspect I'm going to have overlap/underlap issues.
>>
>>i.e. I've already got logfiles on a daily basis, I want to split them down
>>further
>>
>>Andrew

More information about the argus mailing list