New To Argus

[Nick Diel]

I am new to Argus, but have found it has great potential for the 
research project I work on.  We collect pcap files from several high 
traffic networks (20k-100k packets/second).  We collect for 
approximately 12 hours and have ~1000 pcap files that are roughly 500MB 
each. 

I am wanting to do a number of different flow analysis and think Argus 
might be perfect for me.  I am having a hard time grasping some of the 
fundamentals of Argus, but I think once I get some of the basics I will 
be able to really start to use Argus.

To start out with something simple I want to be able to count the number 
of flows over TCP port 25.  I know I need to use RACluster to merge the 
Argus output (I have one argus file for each pcap file I have),  that 
way I can combine identical flow records into one.  I can do this fine 
on one argus output file, but I know many flows span the numerous files 
I have.  I also know I can't load all the files at once into RACluster 
as it fills all available memory.  So my question is how can I 
accomplish this while making sure I capture most flows that span 
multiple files.

Once I understand this, I hope to be able to do things like create a 
list of flow sizes (in bytes) for port 25.  Basically I will be asking a 
lot of questions involving all flows that match a certain filter and I 
am not sure how to accommodate for flows spanning multiple files.

A separate question.  I don't think Argus has this ability, but I wanted 
to know if the community already had a utility for this.  I am looking 
into creating a DB of some sort that would match Argus's flow IDs to 
pcap file name(s) and packet numbers.  This way one could extract the 
packets for a flow that needed further investigation.

And finally, thanks for the great tool.  It does a number of things I 
have been doing manually for a while.

Thanks,
Nick