about flow status interval and inactivity timeout options

Carter Bullard carter at qosient.com
Mon Oct 25 12:59:29 EDT 2010 

The idle timeout values for different types of flows are currently hardcoded,
and are defined in ./argus/ArgusModeler.h.  Here are the current values:

#define ARGUS_INITIMEOUT        5
#define ARGUS_IPTIMEOUT         30
#define ARGUS_ARPTIMEOUT        5
#define ARGUS_TCPTIMEOUT        60
#define ARGUS_ICMPTIMEOUT       5
#define ARGUS_IGMPTIMEOUT       30
#define ARGUS_OTHERTIMEOUT      30
#define ARGUS_FRAGTIMEOUT       5

These are arbitrary, and are primarily an issue for memory management.
The argus-client aggregation programs, racluster(), rabins(), ratop() etc...,
will aggregate flow status records and corrects for any problems that may
arise from flows being timed out by argus.  If exposing these variable in the
 argus.conf file would be useful, we can move them in there, no problem.

These variables have not been of fundamental interest to the argus user
community, because argus is indifferent to these timeouts in its basic
flow classification and processing.   The client aggregation programs resolve
issues regarding flow timeouts, and flow reassembly.

Carter


On Oct 25, 2010, at 12:23 PM, Berkay Celik wrote:

> Hey, carter..
> i couldn't find how i can post a reply using mail list, so i'm writing from here, 
> my confusion is not clear, 
> timeout variable in bro ids for example differs from the argus status interval, 
> ("
> onnections for TCP are well-defined, because establishing and terminating a connection plays a central part of the TCP protocol. Beyond those, Bro enforces a hard connection timeout after the period of time specified through the tcp_inactivity_timeout variable, defined in bro.init.
> For UDP, a connection begins when host A sends a packet to host B for the first time, B never having sent anything to A. This transmission is termed a request, even if in fact the application protocol being used is not based on requests and replies. If B sends a packet back, then that packet is termed a reply. Each packet A or B sends is another request or reply. UDP connection timeouts are specified through the udp_inactivity_timeout variable, defined in bro.init.
> ")
> http://www.bro-ids.org/wiki/index.php/Reference_Manual:_Analyzers_and_Events#Connection_summaries
> 
> status interval (by default) 5 seconds, and can be changed via command prompt, that's fine 
> (so to change it from the .conf, i think should copy it to etc/argus.conf and will be defined there, i checked my /etc and there is no argus.conf file generated by default, i will try copying and see what happens.)
> 
> the argus status interval variable is used, timeout is from the first package and the current captured packet (after the time by default 5s is passed). However the timeout option is if there is no flow between two 5 tuples in a specific time (let's say 15 s) other flow will be generated.
> so my question is does argus support this option ? ARGUS_MAR_STATUS_INTERVAL is for this purpose?
> if there is i can get my flows via Argus ..
> 
> thanks for quick reply, still confused so i replied ur message.
> 
> thanks again.
> berkey
> 
> 
> On 10/25/2010 12:08 PM, Carter Bullard wrote:
>> 
>> Hey Berkay,
>> Argus does not require any configuration to create flow records.
>> If you are using /etc/argus.conf to provide configuration, simply assign a
>> value for ARGUS_INTERFACE, to specify where the packets are coming
>> from, and set an output strategy, either writing to a file using the ARGUS_OUTPUT_FILE
>> variable or assigning a value for the ARGUS_ACCESS_PORT, so ra programs
>> can attach to argus to collect flow records.
>> 
>> If you are using command line options to configure argus,  provide the command line
>> options you are using, and I will attempt to clear up your confusion. 
>> 
>> The ARGUS_FLOW_STATUS_INTERVAL specifies how often argus will report the status of
>> a flow, when its active.  Normally set to 5-60 seconds.  For a long lived flow, say a video
>> playback, argus, when the status interval is set to 5s, will generate a flow record every 5s
>> while the video flow is active.  You don't need to set any variables, and argus will generate
>> flow records for you.  Change variables in the configuration when you want to change
>> argus's default behavior.
>> 
>> Carter
>> 
>> On Oct 25, 2010, at 11:47 AM, Berkay Celik wrote:
>> 
>>> Hey all,Carter,
>>> 
>>> The confusing point when i'm trying to create the flows,
>>> 
>>> ARGUS_FLOW_STATUS_INTERVAL is not same as the tcp_inactivity_timeout and  udp_inactivity_timeout as far as i read. Is there are inactivity_timeout option
>>> in ARGUS? (is ARGUS_MAR_STATUS_INTERVAL used for this purpose, i confused about ARGUS_MAR_STATUS_INTERVAL variable.)
>>> 
>>> 
>>> is there a way that i can directly get the flows regarding my definitions 1 and 2 (for TCP and UDP):
>>> 
>>> tcp Connection established  (SYN sent) or 3 way handshake is done) within ARGUS_FLOW_STATUS_INTERVAL 45 s or tcp_inactivity_timeout is 15 s
>>>    create the flows
>>> 
>>> udp within ARGUS_FLOW_STATUS_INTERVAL 45 s or udp_inactivity_timeout is 15 s
>>>    create the flows
>>> 
>>> is there way to generate flows in argus as noted up.
>>> 
>>> Thanks,
>>> 
>>> Berkey
>>> 
>>> 
>> Carter Bullard
>> CEO/President
>> QoSient, LLC
>> 150 E 57th Street Suite 12D
>> New York, New York  10022
>> 
>> +1 212 588-9133 Phone
>> +1 212 588-9134 Fax
>> 
>> 
>> 
> 

Carter Bullard
CEO/President
QoSient, LLC
150 E 57th Street Suite 12D
New York, New York  10022

+1 212 588-9133 Phone
+1 212 588-9134 Fax



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20101025/24a08264/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20101025/24a08264/attachment.bin>

More information about the argus mailing list