Unique, complete flows only
Nick Diel
nick at engineerity.com
Mon Jul 27 14:56:25 EDT 2009
Harry,
Racluster by default clusters on the 5 tuple, so you do not need the -m
options for what you are wanting to do. If my memory serves me correct, the
norep option keeps the trans field at 1 (instead of aggregating it). Rmon
splits each record in to two records (one for each direction), and probably
not what you want.
Nick
On Mon, Jul 27, 2009 at 12:42 PM, Harry Bock <harry at oshean.org> wrote:
> Hi all,
>
> I was curious as to how Argus client users aggregate their traffic data
> using racluster/rabins. What I'm looking for is essentially
> completed/timed-out flows only, aggregated so that there is only one record
> per flow. It seems like this can be achieved for IP transactions with
> something along the lines of:
>
> racluster -r input -m saddr daddr proto sport dport -M norep
>
> What's the difference between norep and rmon in terms of aggregation?
> Judging by the description in the manual page, norep seems to be what I'm
> looking for. For general IPv4/6 traffic, would the above aggregation
> objects be suffient for uniqueness?
>
> The program I'm writing right now does its own transaction stream
> time-splitting, but the more I look at rabins, the more it seems like it
> would make things much easier to just bin remote data with rabins() and then
> perform data processing locally on the output files.
>
> Harry
>
> --
> Harry Bock
> Software Developer, Package Maintainer
> OSHEAN, Inc.
> Email: harry at oshean.org
> PGP Key ID: 546CC353
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090727/fb10d692/attachment.html>
More information about the argus
mailing list