about flow status interval and inactivity timeout options

Carter Bullard carter at qosient.com
Mon Oct 25 12:08:08 EDT 2010


Hey Berkay,
Argus does not require any configuration to create flow records.
If you are using /etc/argus.conf to provide configuration, simply assign a
value for ARGUS_INTERFACE, to specify where the packets are coming
from, and set an output strategy, either writing to a file using the ARGUS_OUTPUT_FILE
variable or assigning a value for the ARGUS_ACCESS_PORT, so ra programs
can attach to argus to collect flow records.

If you are using command line options to configure argus,  provide the command line
options you are using, and I will attempt to clear up your confusion. 

The ARGUS_FLOW_STATUS_INTERVAL specifies how often argus will report the status of
a flow, when its active.  Normally set to 5-60 seconds.  For a long lived flow, say a video
playback, argus, when the status interval is set to 5s, will generate a flow record every 5s
while the video flow is active.  You don't need to set any variables, and argus will generate
flow records for you.  Change variables in the configuration when you want to change
argus's default behavior.

Carter

On Oct 25, 2010, at 11:47 AM, Berkay Celik wrote:

> Hey all,Carter,
> 
> The confusing point when i'm trying to create the flows,
> 
> ARGUS_FLOW_STATUS_INTERVAL is not same as the tcp_inactivity_timeout and  udp_inactivity_timeout as far as i read. Is there are inactivity_timeout option
> in ARGUS? (is ARGUS_MAR_STATUS_INTERVAL used for this purpose, i confused about ARGUS_MAR_STATUS_INTERVAL variable.)
> 
> 
> is there a way that i can directly get the flows regarding my definitions 1 and 2 (for TCP and UDP):
> 
> tcp Connection established  (SYN sent) or 3 way handshake is done) within ARGUS_FLOW_STATUS_INTERVAL 45 s or tcp_inactivity_timeout is 15 s
>    create the flows
> 
> udp within ARGUS_FLOW_STATUS_INTERVAL 45 s or udp_inactivity_timeout is 15 s
>    create the flows
> 
> is there way to generate flows in argus as noted up.
> 
> Thanks,
> 
> Berkey
> 
> 

Carter Bullard
CEO/President
QoSient, LLC
150 E 57th Street Suite 12D
New York, New York  10022

+1 212 588-9133 Phone
+1 212 588-9134 Fax



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20101025/56df9e78/attachment.bin>


More information about the argus mailing list