Unique identifier for tracking flows

[Harry Bock]

Hi Carter,

I was wondering if there was any facility for tracking a flow across
multiple Argus records.  If I've gathered correctly from our conversations
and from observing the output of other ra* programs and periscope, argus()
will send multiple records for an ongoing flow, updating it if necessary. If
this is correct, is there a "unique identifier" (like the hash key used to
identify the flow in the first place) sent to clients so they can keep track
of such an ongoing record?

The reason I ask is because I'm mostly concerned with "completed" flows in
Periscope, and while a filter like "tcp and fin and finack" works great for
normal closes and resets, I want to make sure I get other flows that simply
drop or time out without a closing sequence.  In the same vein, how are
stateless protocols like UDP handled wrt Argus records? Will I receive
multiple flow records for a single UDP connection? Right now I simply don't
handle this case and treat them as if they are all distinct flows, which I'm
almost positive is dead wrong.  But that's okay, it's still 'pre-alpha' :)

Harry

-- 
Harry Bock
Software Developer, Package Maintainer
OSHEAN, Inc.
Email: harry at oshean.org
PGP Key ID: 546CC353
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090710/2a719966/attachment.html>