Per-connection info

[David]

Carter Bullard wrote:
> Hey David,
> Did you fix you're problem?  You should be using racluster() from the 
> new distribution.
> You should not need any parameters to generate the output your 
> interested in.
> 
>    ragator -r file -w file.rag
>    racluster -r file -w file.clu
> 
> If your data source is a stream, then you will have some issues when 
> trying to figure
> out when to flush the records.  racluster() provides support for this, 
> but I'm not
> a fan of this type of flow flushing.

Carter,

I did indeed find one solution to the problem but I am unsure if it is 
the best.  I am currently evaluating it to see whether or not what I am 
doing is producing the correct results.

The input is pcap, a number of files from an IDS sensor.  I pipe these 
one by one to argus, which appears to append to the output file 
correctly each time it is called.

Afterwards I do not use ragator, instead I rely on racluster to group 
together the connections/streams and parse the text output using a 
script.  In order to do this I do provide a number of options to 
racluster.  Is this likely to cause problems?

I will post the full command I am using when I have tweaked it a little 
more.

Thanks for your help,

David