[ARGUS] ragator flowfile format change?

Carter Bullard carter at qosient.com
Mon May 10 11:42:05 EDT 2004 

Hey Roman,
New code, hidden options.  Take a look at the sample ragator.conf file
in the ./support/Config directory, it mentions 4 new options, and we need
to turn one on to get the output you're looking for.

Add this line to the beginning of your 195.68.217.13.new configuration:

RAGATOR_AUTO_CORRECTION=no

You should get the correct output after that.  The record autocorrection
logic is/was on by default, and it was 'fixing' your data for you.
This undocumented auto correction feature 'fix's records that may be
flipped, and it does this by looking to see if the reverse flow is in
the cache if the forward flow can't be found.  In your case,

   *        <->   x.y.z.w

wasn't in the cache when ragator first see's it in the stream, but

   x.y.z.w  <->   *

is, so, unfortunately, ragator 'corrected' the record.  Not what
you're looking for.

Its definitely not suppose to be on by default, so I'll fix this
in the current ragator().


Hope this helps!!!!

Carter


-----Original Message-----
From: Roman Festchook [mailto:roma at polesye.net]
Sent: Monday, May 10, 2004 9:41 AM
To: Carter Bullard
Subject: Re: [ARGUS] ragator flowfile format change?

Hello Carter.
Thank you for fast reply!
There is my results:
file 'linux' in attachments its a regular session flow from client.
"195.68.217.13" and "195.68.217.13.new" its flow processing rules for
ragator
(divide traffic to internet and local&peering), 195.68.217.13.new file
rewrited to works with new ragator
"ragator2.0.6" and "ragator2.0.6.pre2" its a result processing flowfile by
ragator with corresponding flowrules by command:
./ragator -cnr linux -f 195.68.217.13.new > ragator2.0.6
for new ragator
and
ragator -cnr linux -f 195.68.217.13 > ragator2.0.6.pre2
for old and nice working version.
Now problem description - flows for local traffic in ragator2.0.6pre2 result

merget in one flow into new ragator - and I cant understand why:((
Probably some bug in my flow rules file that passed previosly but not worked

now?

On Monday 10 May 2004 16:18, you wrote:
> Hey Roman,
>    The basic formats should still be the same, (with the exception of the
> 'ip',
> although it's suppose to handle the case where it's not there).  Could you
> send a sample ragator file that demonstrates your problem?
>
> Carter
>
>
>
> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of Roman
Festchook
> Sent: Monday, May 10, 2004 9:04 AM
> To: argus-info at lists.andrew.cmu.edu
> Subject: [ARGUS] ragator flowfile format change?
>
> Hello!
> Today has some time to test argus 2.0.6 and clients-2.0.6 as upgrade from
> argus-2.0.6rc2 version. I use ragator to agregate flows after user session
> ended. After installing new ragator it stop works with my flowfile -
> reported
> sintacs error. After some changes in flowfile rules (add 'ip' after label
> id)
> ragator parse and load flowfile correctly but doesnt use this rules to
> agregate flows.
> Is there any information about changes in ragator flowrules file format?
>
> --
> Roman Festchook
> Network Engineer
> RF2-UANIC FRA11-RIPE

--
Roman Festchook
Network Engineer
RF2-UANIC FRA11-RIPE

More information about the argus mailing list