Argus processing multiple pcap files at once

[Carter Bullard]

The only reason to process multiple packet streams at the same time
is because they are from different observation points or the time
domains overlap, so you want something to interleave the data into the
probe, so the data is in time order.

If the packets are not overlapped in time, no problem with cating the  
data.
If you try it and argus isn't happy, holler, and I'll make the fix.

Carter

On Jul 9, 2009, at 3:42 PM, Nick Diel wrote:

> Carter,
>
> I have hundreds of files a day (doing processing at the end of the  
> day).  Was hoping that Argus was going to be like ra* and handle  
> many files.  Though I now understand why Argus is different.
>
> Perhaps I will throw together a little cat like script that would  
> discard all but the first pcap file header and stream them through  
> stdin/out.  Do you see any problems with this from Argus' point of  
> view?
>
> Nick
>
> On Thu, Jul 9, 2009 at 1:32 PM, Carter Bullard <carter at qosient.com>  
> wrote:
> Hey Nick,
> Files and interfaces are handled in the same way in argus(), so  
> there is a limit because
> handling a bunch of interfaces at line rate is going to have a  
> limit.  5 seemed like a good
> number,  but its completely arbitrary.
>
> How many files do you want to process at a time?
>
> Carter
>
>
> On Jul 9, 2009, at 3:28 PM, Nick Diel wrote:
>
> Carter,
>
> I believe you turned on the abilitiy to process mutlitple pcap files  
> in Argus for me a while back.  Is there any reason why there is a  
> limit of 5 files at a time?
>
> Nick
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090709/846962f0/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090709/846962f0/attachment.bin>