how to aggregate multiple similar tcp flows?
Carter Bullard
carter at qosient.com
Sat Mar 17 16:11:40 EDT 2007
Hey Christoph,
Yeah, that gets a few every now and then. We've been doing the
append thing for so long, I take it for granted that everyone knows.
I've updated all the man pages to use the word 'append'.
Are things looking better? I'm hoping the numbers are doing the right
thing? The bug you reported was a very interesting one, where only
certain conditions could tickle it. Interesting that your network
tickled
it more than others. Very glad you found and reported it!!!!!!!
Thanks for all the help!!!!!
Carter
On Mar 17, 2007, at 9:08 AM, Christoph Badura wrote:
> Hey Carter,
>
> On Wed, Mar 14, 2007 at 06:31:49PM +0100, Christoph Badura wrote:
>>> ESP issue was really a fragmentation issue, and that is now fixed.
>> I'm afraid that isn't fixed yet. I still get output like:
>>
>> $ ra -n -s +sloss +dloss -r trace9f.argus|head
>> 16:49:21.850751 F esp 1.2.3.4 <->
>> 4.3.2.1.0x0bf* 377 64 57990 51184
>> CON 67882 0
>> 16:49:31.974272 F esp 1.2.3.4 <->
>> 4.3.2.1.0x0bf* 2015 818 289482 654344
>> CON 3606147 0
>
> I figured out why I still get the above output. Argus does open all
> output files in *append* mode by default. So I was printing (and
> clustering)
> the old records from the buggy versions again.
>
> That output files are not overwritten but appended to, could be
> mentioned
> in the man pages. Patches attached.
>
> --chris
> <argus-doc.patch>
> <argus-cliets-doc.patch>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20070317/3bf254bd/attachment.html>
More information about the argus
mailing list