Unique, complete flows only
Harry Bock
harry at oshean.org
Mon Jul 27 14:42:57 EDT 2009
Hi all,
I was curious as to how Argus client users aggregate their traffic data
using racluster/rabins. What I'm looking for is essentially
completed/timed-out flows only, aggregated so that there is only one record
per flow. It seems like this can be achieved for IP transactions with
something along the lines of:
racluster -r input -m saddr daddr proto sport dport -M norep
What's the difference between norep and rmon in terms of aggregation?
Judging by the description in the manual page, norep seems to be what I'm
looking for. For general IPv4/6 traffic, would the above aggregation
objects be suffient for uniqueness?
The program I'm writing right now does its own transaction stream
time-splitting, but the more I look at rabins, the more it seems like it
would make things much easier to just bin remote data with rabins() and then
perform data processing locally on the output files.
Harry
--
Harry Bock
Software Developer, Package Maintainer
OSHEAN, Inc.
Email: harry at oshean.org
PGP Key ID: 546CC353
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090727/8e59044e/attachment.html>
More information about the argus
mailing list