Argus Data Generates From Pcap

carter at qosient.com carter at qosient.com
Thu Apr 12 07:19:00 EDT 2007 

Go to http://qosient.com/argus/flow.htm to see a description of the flow models argus supports by default.  You don't have to configure anything.

Carter


Carter Bullard
QoSient LLC
150 E. 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax  

-----Original Message-----
From: "CS Lee" <geek00l at gmail.com>
Date: Thu, 12 Apr 2007 09:41:01 
To:"Carter Bullard" <carter at qosient.com>
Cc:Argus <argus-info at lists.andrew.cmu.edu>
Subject: Argus Data Generates From Pcap

Carter,

Thanks, after some tuning in argus.conf, I able to generate most of the metrics and I will check it out more, here's my configuration and please do let me know if I need to tweak it to generate all the flow metrics from pcap. 

# Flow Research
ARGUS_FLOW_TYPE="Bidirectional"
ARGUS_FLOW_KEY="CLASSIC_5_TUPLE"
# ARGUS_FLOW_KEY="LAYER_3_MATRIX"
# ARGUS_FLOW_KEY="LAYER_2_MATRIX"
ARGUS_DAEMON=yes 
ARGUS_MONITOR_ID=Research
# ARGUS_ACCESS_PORT=561
# ARGUS_BIND_IP="127.0.0.1: <http://127.0.0.1> "
# ARGUS_INTERFACE=eth0
# ARGUS_GO_PROMISCUOUS=yes
# ARGUS_COLLECTOR=yes
# ARGUS_CHROOT_DIR=/chroot_dir 
# ARGUS_OUTPUT_FILE=/var/log/argus/argus.out
# ARGUS_PACKET_CAPTURE_FILE="/var/log/argus/packet.out"
ARGUS_SETUSER_ID=geek00l
ARGUS_SETGROUP_ID=geek00l
# ARGUS_SET_PID=yes
# ARGUS_PID_PATH=/var/run 
ARGUS_FLOW_STATUS_INTERVAL=60
# ARGUS_MAR_STATUS_INTERVAL=300
# ARGUS_DEBUG_LEVEL=0
ARGUS_GENERATE_RESPONSE_TIME_DATA=yes
ARGUS_GENERATE_JITTER_DATA=yes
ARGUS_GENERATE_MAC_DATA=yes
ARGUS_GENERATE_APPBYTE_METRIC=yes 
ARGUS_GENERATE_TCP_PERF_METRIC=yes
ARGUS_CAPTURE_DATA_LEN=1500
ARGUS_FILTER_OPTIMIZER=yes
ARGUS_FILTER=""
# ARGUS_MIN_SSF=0
# ARGUS_MAX_SSF=0

So it has been stated in this link that argus supports 12 simultaneous flow models, I'm looking at this page - 

http://www3.ietf.org/proceedings/01aug/slides/ipfx-2/sld006.htm: <http://www3.ietf.org/proceedings/01aug/slides/ipfx-2/sld006.htm> 

Except for the Classic 5 tuples, Layer 3 and Layer 2 matrix, what are other valid options that I can put(for example 7 tuples?) and when I tried to generate the argus data from pcap, are there any differences if I use different kind of flow key(as the argus data generated has the same file size) but in fact when I look into it, Layer 2 matrix and Layer 3 matrix are different when querying with ra. But I would like to know other differences if possible, what I read from the slides above should be Layer 3 generates 3 tuples and Classic 5 tuples are more on Layer 4 oriented(tcp/udp port aware). Hopefully you can point me out more clearly to full understand all this. 

Thanks, argus is always useful.

-- 
Best Regards,

CS Lee<geekooL[at]gmail.com>

More information about the argus mailing list