best way to collect traffic
Peter Van Epp
vanepp at sfu.ca
Thu Apr 30 22:53:14 EDT 2009
On Fri, Apr 24, 2009 at 08:44:33AM +0300, Oguz Yarimtepe wrote:
>
> I am generally using a dataset [1] for testing purposes. What i do is
> converting the tcpdump files to arg3 records and analyse the results.
>
> A few days ago i tried to check my own traffic so i run the tcpdump
> while surfing. After a while i break the process by ctrl+c and converted
> the dumo file arg3 and check the results. I saw some <?> values at the
> direction field. So i thought, collecting the traffing in this way is
> not a good idea or i broke the connection an packages so the flow data
> was missing.
>
> What is the good way to collect a traffic for analyzing via argus?
>
> --
> Oguz Yarimtepe
> http://www.loopbacking.info
>
Another thought just occurred to me: are you using ra to check the
results or racluster? Argus flushes flow status every 2 minutes by default so
a long lasting connection (such as an ssh session) will have an initial
report with the direction field correct and a bunch more for the same flow
with a <?> direction (as it has no longer seen the syn / syn-ack sequence).
I believe racluster (it used to he ragator in 2.x) is the current way of
combining the flows by 5 tuple so the direction field will be correct and
you will get what you expect.
Peter Van Epp
More information about the argus
mailing list