raports results after racluster or ra -w .. of original data files
Michael Sanderson
sanders at cs.ubc.ca
Wed Jul 14 16:43:29 EDT 2010
I'm experiencing some slight differences in the results of raports,
depending upon how I run it.
I rotate my logs every 15 minutes and do some post processing.
1) raports -r data.2010.07.12-00:* - host 10.91.129.8
...
10.91.129.8 tcp: (2) 2049, 39813
10.91.129.8 udp: (3) 769, 789, 824
...
2) ra -r data.2010.07.12-00:* -w d10.91.129.8 - host 10.91.129.8
raports -r d10.91.129.8
...
10.91.129.8 tcp: (1) 2049
10.91.129.8 udp: (3) 769, 789, 824
...
3) racluster -r data.2010.07.12-00:* -w clustered.2010.07.12-00
raports -r clustered.2010.07.12-00 - host 10.91.129.8
...
10.91.129.8 tcp: (1) 2049
10.91.129.8 udp: (3) 769, 789, 824
...
raports on the original data files is suggesting that 10.91.129.8 port
39813 is a destination. raports on processed files is suggesting it is
a source. Looking at the flows from the original data files for
10.91.129.8 port 39813 shows that direction wasn't determined.
10/07/11 23:49:23 M tcp 10.91.129.8.39813 <?>
a.b.c.d.netbio 2 126 CON
Looking at the processed files (d10.91.129.8 and
clustered.2010.07.12-00) via ra, they also so that the direction was not
determined.
What is happening with the processed files that convinces raports that
10.91.129.8 port 39813 is a source, not a destination? In this
particular case it is right, but I'm curious how it is getting it right.
Michael Sanderson
More information about the argus
mailing list