how to aggregate multiple similar tcp flows?

Christoph Badura bad at bsd.de
Sat Mar 17 09:08:19 EDT 2007 

Hey Carter,

On Wed, Mar 14, 2007 at 06:31:49PM +0100, Christoph Badura wrote:
> > ESP issue was really a fragmentation issue, and that is now fixed.
> I'm afraid that isn't fixed yet.  I still get output like:
> 
> $ ra -n -s +sloss +dloss -r trace9f.argus|head
>    16:49:21.850751       F     esp      1.2.3.4          <->      4.3.2.1.0x0bf*      377       64        57990        51184   CON      67882          0
>    16:49:31.974272       F     esp      1.2.3.4          <->      4.3.2.1.0x0bf*     2015      818       289482       654344   CON    3606147          0

I figured out why I still get the above output.  Argus does open all
output files in *append* mode by default. So I was printing (and clustering)
the old records from the buggy versions again.

That output files are not overwritten but appended to, could be mentioned
in the man pages.  Patches attached.

--chris
-------------- next part --------------
--- argus-3.0.0.rc.42/man/man8/argus.8.orig	2007-03-07 06:09:55.000000000 +0100
+++ argus-3.0.0.rc.42/man/man8/argus.8
@@ -29,7 +29,7 @@ reports on the transactions that it disc
 .LP
 Designed to run as a daemon,
 .B argus
-generally reads packets directly from a network interface, and writes the
+generally reads packets directly from a network interface, and appends the
 transaction status information to a log file or open socket connected to an
 .B argus
 client (such as
@@ -168,7 +168,7 @@ Specify the number of user bytes to capt
 .TP 5 5
 .B \-w
 <file ["filter"]
-Write transaction status records to \fIoutput-file\fP.  An \fIoutput-file\fP
+Append transaction status records to \fIoutput-file\fP.  An \fIoutput-file\fP
 of '-' directs \fBargus\fP to write the resulting \fIargus-file\fP output
 to \fIstdout\fP.
 .TP 5 5
@@ -253,7 +253,7 @@ remote client will use to port 430/tcp.
 .RE
 .LP
 Audit each individual ICMP ECHO transaction.  You would do this
-gather Round Trip Time data within your network.  Write the output to
+gather Round Trip Time data within your network.  Append the output to
 \fIoutput-file\fP.
 .RS
 .nf
@@ -263,7 +263,7 @@ gather Round Trip Time data within your 
 .LP
 Audit all NFS transactions involving the server \fIfileserver\fP
 and increase the reporting interval to 3600 seconds (to provide high
-data reduction).  Write the output to \fIoutput-file\fP.
+data reduction).  Append the output to \fIoutput-file\fP.
 .RS
 .nf
 \fBargus -S 3600 -w \fIoutput-file\fP udp and port 2049\fP &
-------------- next part --------------
--- argus-clients-3.0.0.rc.42/doc/html/man/argus.8.html.orig	2006-10-13 18:31:55.000000000 +0200
+++ argus-clients-3.0.0.rc.42/doc/html/man/argus.8.html
@@ -48,7 +48,7 @@ reports on the transactions that it disc
 Designed to run as a daemon,
 <B>argus</B>
 
-generally reads packets directly from a network interface, and writes the
+generally reads packets directly from a network interface, and appends the
 transaction status information to a log file or open socket connected to an
 <B>argus</B>
 
@@ -203,7 +203,7 @@ Specify the number of user bytes to capt
 
 <DD>
 <file ["filter"]
-Write transaction status records to <I>output-file</I>.  An <I>output-file</I>
+Appends transaction status records to <I>output-file</I>.  An <I>output-file</I>
 of '-' directs <B>argus</B> to write the resulting <I>argus-file</I> output
 to <I>stdout</I>.
 <DT><B>-X</B>
@@ -316,7 +316,7 @@ remote client will use to port 430/tcp.
 <P>
 
 Audit each individual ICMP ECHO transaction.  You would do this
-gather Round Trip Time data within your network.  Write the output to
+gather Round Trip Time data within your network.  Append the output to
 <I>output-file</I>.
 <DL COMPACT><DT><DD>
 <PRE>
@@ -329,7 +329,7 @@ gather Round Trip Time data within your 
 
 Audit all NFS transactions involving the server <I>fileserver</I>
 and increase the reporting interval to 3600 seconds (to provide high
-data reduction).  Write the output to <I>output-file</I>.
+data reduction).  Append the output to <I>output-file</I>.
 <DL COMPACT><DT><DD>
 <PRE>
 <B>argus -S 3600 -w </B><I>output-file</I> udp and port 2049 &
--- argus-clients-3.0.0.rc.42/doc/html/man/argus.conf.5.html.orig	2006-10-13 18:31:55.000000000 +0200
+++ argus-clients-3.0.0.rc.42/doc/html/man/argus.conf.5.html
@@ -123,7 +123,7 @@ Commandline equivalent  -i
 <H2>ARGUS_OUTPUT_FILE</H2>
 
 <P>
-Argus can write its output to one or a number of files,
+Argus can append its output to one or a number of files,
 default limit is 5 concurrent files, each with their own
 independant filters.
 <P>
--- argus-clients-3.0.0.rc.42/doc/html/man/ra.1.html.orig	2006-10-13 18:31:55.000000000 +0200
+++ argus-clients-3.0.0.rc.42/doc/html/man/ra.1.html
@@ -33,7 +33,7 @@ remote <I>argus-server</I>, filters the 
 an optional <I>filter-expression</I>  and either prints the contents of the
 <B><A HREF="http://localhost/cgi-bin/man/man2html?5+argus">argus</A>(5)</B>
 
-records that it encounters to <B>stdout</B> or writes them out into an
+records that it encounters to <B>stdout</B> or appends them to an
 <B><A HREF="http://localhost/cgi-bin/man/man2html?5+argus">argus</A>(5)</B>
 
 datafile.
@@ -106,7 +106,7 @@ When using a filter expression at the en
 cause
 <B><A HREF="http://localhost/cgi-bin/man/man2html?1+ra">ra</A>(1)</B>
 
-to write the records that are rejected by the filter into
+to append the records that are rejected by the filter into
 <B><file></B>
 
 <DT><B>-F</B>
@@ -253,7 +253,7 @@ Write out time values using UTC time for
 <DD>
 <B><file></B>
 
-Write out matching data to <B><file></B>, in
+Append out matching data to <B><file></B>, in
 <B>argus</B>
 
 file format. An <I>output-file</I> of '-' directs 
--- argus-clients-3.0.0.rc.42/man/man1/ra.1.orig	2007-03-13 22:39:07.000000000 +0100
+++ argus-clients-3.0.0.rc.42/man/man1/ra.1
@@ -38,7 +38,7 @@ data from either \fIstdin\fP, an \fIargu
 remote \fIargus-server\fP, filters the records it encounters based on
 an optional \fIfilter-expression\fP  and either prints the contents of the
 .BR argus(5)
-records that it encounters to \fBstdout\fP or writes them out into an
+records that it encounters to \fBstdout\fP or appends them to an
 .B argus(5)
 datafile.
 .LP
@@ -68,7 +68,7 @@ will print.  Values range from 1-8.
 When using a filter expression at the end of the command, this option will
 cause
 .B ra(1)
-to write the records that are rejected by the filter into
+to append the records that are rejected by the filter into
 .B <file>
 .TP 4 4
 .B \-F <conffile>
@@ -436,7 +436,7 @@ Read \fBargus(5)\fP from remote server f
 Write out time values using UTC time format.
 .TP 4 4
 .B \-w <file>
-Write out matching data to \fB<file>\fP, in
+Append matching data to \fB<file>\fP, in
 .B argus
 file format. An \fIoutput-file\fP of '-' directs 
 .B ra
--- argus-clients-3.0.0.rc.42/man/man1/rastrip.1.orig	2007-02-02 19:12:46.000000000 +0100
+++ argus-clients-3.0.0.rc.42/man/man1/rastrip.1
@@ -97,7 +97,7 @@ If no dsrs are specified, Rastrip remove
 
 .SH INVOCATION
 A sample invocation of \fBrastrip(1)\fP.  This call reads \fBargus(8)\fP data
-from \fBinputfile\fP and strips the default dsr set but keeps MAC addresses and writes the result
+from \fBinputfile\fP and strips the default dsr set but keeps MAC addresses and appends the result
 to \fBoutputfile\fP:
 
 \fBrastrip -M +mac -r inputfile -w outputfile\fP
--- argus-clients-3.0.0.rc.42/man/man5/radium.conf.5.orig	2007-03-07 06:35:34.000000000 +0100
+++ argus-clients-3.0.0.rc.42/man/man5/radium.conf.5
@@ -138,7 +138,7 @@ Commandline equivalent  -B
 
 .SH RADIUM_OUTPUT_FILE
 
-Radium can write its output to one or a number of files,
+Radium can append its output to one or a number of files,
 default limit is 5 concurrent files, each with their own
 independant filters.
 
--- argus-clients-3.0.0.rc.42/man/man8/radium.8.orig	2007-02-02 19:15:29.000000000 +0100
+++ argus-clients-3.0.0.rc.42/man/man8/radium.8
@@ -42,7 +42,7 @@ of argus clients.
 .LP
 Designed to run as a daemon,
 .B radium
-generally reads argus records directly from a remote argus, and writes the
+generally reads argus records directly from a remote argus, and appends the
 transaction status information to a log file or open socket connected to an
 .B argus
 client (such as
@@ -149,7 +149,7 @@ h for seconds, minutes or hours.
 .TP 5 5
 .B \-w
 <file ["filter"]
-Write transaction status records to \fIoutput-file\fP.  An \fIoutput-file\fP
+Append transaction status records to \fIoutput-file\fP.  An \fIoutput-file\fP
 of '-' directs \fBradium\fP to write the resulting \fIradium-file\fP output
 to \fIstdout\fP.
 .TP 5 5

More information about the argus mailing list