New To Argus

[Peter Van Epp]

On Thu, Feb 21, 2008 at 02:49:25PM -0700, Nick Diel wrote:
> I am new to Argus, but have found it has great potential for the 
> research project I work on.  We collect pcap files from several high 
> traffic networks (20k-100k packets/second).  We collect for 
> approximately 12 hours and have ~1000 pcap files that are roughly 500MB 
> each. 
> 
> I am wanting to do a number of different flow analysis and think Argus 
> might be perfect for me.  I am having a hard time grasping some of the 
> fundamentals of Argus, but I think once I get some of the basics I will 
> be able to really start to use Argus.
> 
> To start out with something simple I want to be able to count the number 
> of flows over TCP port 25.  I know I need to use RACluster to merge the 
> Argus output (I have one argus file for each pcap file I have),  that 
> way I can combine identical flow records into one.  I can do this fine 
> on one argus output file, but I know many flows span the numerous files 
> I have.  I also know I can't load all the files at once into RACluster 
> as it fills all available memory.  So my question is how can I 
> accomplish this while making sure I capture most flows that span 
> multiple files.

	While I don't think you can currently, what you want here is for the
client when it hits end of file on a chunk to write the state of currently 
active flows to a file (instead of discarding them as it does now). Then as
before it starts reading the next file (although there would be problems if
the next file isn't in time sequence, that should be externally fixable) the
client would read the state of active flows at the point of last file shutdown
first and proceed from there. That way you only need to keep state on active
flows that cross file boundarys and memory growth should be constrained (at 
least more constrained than trying to do it all at once :-)) and may do what
you want. 

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada