Question about racluster()
Rafael Barbosa
rrbarbosa at gmail.com
Fri Sep 17 09:55:36 EDT 2010
Hi,
I have some questions regarding the flow definition in argus.
I generated imported a pcap file into argus (argus -r file.pcap >
file.argus) so I have flow records being generated every 5s intervals. I
used racluster() (racluster -r file-merged.argus) to merge the flow
information, so the fields TotBytes and TotPkts actually represent the total
of bytes and pkts for a given flow record, and not the total in 5s
intervals. However for my surprise some flows also had the value at the
field Trans changed (values up to 15467 transactions). Now the questions:
- What does the value of Trans mean in this case? Is it the number of
records merged?
- How does argus decide the end of flow?
Thanks,
Rafael Barbosa
http://www.vf.utwente.nl/~barbosarr/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100917/0139c648/attachment.html>
More information about the argus
mailing list