Argus Freezes

[Sunjeet Singh]

On 10-11-15 9:53 AM, Carter Bullard wrote:
> Yes, but the idea is to get through the packets quickly using argus, then use
> one of the ra* programs to merge the multiple status reports together.  If a
> "single flow = single report" is your goal then, there are tools provided to help.

Cool. I'll look into racluster.
> The trick is to set aggressive idle timeout values so you can get short lived flows
> out of the engine quickly.  Sometimes matching flows like (" src net not x.y.0.0/16")
> (flows originated from outside) is enough to identify flows that should be timed out
> quickly.

This is great. Thanks. The only problem left is that 1 sec is not 
helping me much either except for the initial head-start. Can I go lower?


Sunjeet