Argus Data Generates From Pcap
CS Lee
geek00l at gmail.com
Wed Apr 11 21:41:01 EDT 2007
Carter,
Thanks, after some tuning in argus.conf, I able to generate most of the
metrics and I will check it out more, here's my configuration and please do
let me know if I need to tweak it to generate all the flow metrics from
pcap.
# Flow Research
ARGUS_FLOW_TYPE="Bidirectional"
ARGUS_FLOW_KEY="CLASSIC_5_TUPLE"
# ARGUS_FLOW_KEY="LAYER_3_MATRIX"
# ARGUS_FLOW_KEY="LAYER_2_MATRIX"
ARGUS_DAEMON=yes
ARGUS_MONITOR_ID=Research
# ARGUS_ACCESS_PORT=561
# ARGUS_BIND_IP="127.0.0.1"
# ARGUS_INTERFACE=eth0
# ARGUS_GO_PROMISCUOUS=yes
# ARGUS_COLLECTOR=yes
# ARGUS_CHROOT_DIR=/chroot_dir
# ARGUS_OUTPUT_FILE=/var/log/argus/argus.out
# ARGUS_PACKET_CAPTURE_FILE="/var/log/argus/packet.out"
ARGUS_SETUSER_ID=geek00l
ARGUS_SETGROUP_ID=geek00l
# ARGUS_SET_PID=yes
# ARGUS_PID_PATH=/var/run
ARGUS_FLOW_STATUS_INTERVAL=60
# ARGUS_MAR_STATUS_INTERVAL=300
# ARGUS_DEBUG_LEVEL=0
ARGUS_GENERATE_RESPONSE_TIME_DATA=yes
ARGUS_GENERATE_JITTER_DATA=yes
ARGUS_GENERATE_MAC_DATA=yes
ARGUS_GENERATE_APPBYTE_METRIC=yes
ARGUS_GENERATE_TCP_PERF_METRIC=yes
ARGUS_CAPTURE_DATA_LEN=1500
ARGUS_FILTER_OPTIMIZER=yes
ARGUS_FILTER=""
# ARGUS_MIN_SSF=0
# ARGUS_MAX_SSF=0
So it has been stated in this link that argus supports 12 simultaneous flow
models, I'm looking at this page -
http://www3.ietf.org/proceedings/01aug/slides/ipfx-2/sld006.htm
Except for the Classic 5 tuples, Layer 3 and Layer 2 matrix, what are other
valid options that I can put(for example 7 tuples?) and when I tried to
generate the argus data from pcap, are there any differences if I use
different kind of flow key(as the argus data generated has the same file
size) but in fact when I look into it, Layer 2 matrix and Layer 3 matrix are
different when querying with ra. But I would like to know other differences
if possible, what I read from the slides above should be Layer 3 generates 3
tuples and Classic 5 tuples are more on Layer 4 oriented(tcp/udp port
aware). Hopefully you can point me out more clearly to full understand all
this.
Thanks, argus is always useful.
--
Best Regards,
CS Lee<geekooL[at]gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20070412/18aba49b/attachment.html>
More information about the argus
mailing list