Question about racluster()
Carter Bullard
carter at qosient.com
Fri Sep 17 10:23:06 EDT 2010
Hey Rafael,
When any aggregation is done (ratop, racluster, rabins) the process results in the creation of an aggregation data set record (AGR_DSR).
This DSR contains the basic statistics for a single metric that you aggregate on. The default is "dur", which I have found to be one
of the most important for aggregation. The AGR_DSR holds: N, Mean, Min, Max, and StdDev for the aggregated metric.
"Trans" is the value "N" in the AGR_DSR. If there is an AGR_DSR, we print N, if not we print 1.
When you merge primitive data (records directly from argus or radium), without changing the flow key ("-m fields" option),
you will merge all the status records for each unique 5-tuple flow that is in the data set. So for some flows, like NFS, or some
DNS relationships, which are very long lived, after you merge, you will have a large number of flow status records that were
matched and aggregated. "Trans" represents the number of records that were merged to create this single aggregated flow
record.
If you are curious, find a record that has a lot of status records, output them to a file, and then run racluster() against the file,
modifying the flow key using the "-m fields" option, so see how it works.
If you want to remove the aggregation dsr, for example, because you want to aggregate a stream multiple times, and you want
N to represent the result on the last aggregation, remove the agr dsr on input:
racluster -r file -M dsrs="-agr"
Argus has a lot of rules for reporting on flow activity. racluster() has only a few, in order to make aggregation simple and
so it can produce expected results. For argus, its mainly time (the ARGUS_FAR_STATUS_INTERVAL), but argus has
state machines for many protocols, and it can use those to make decisions on how to report the activity on a particular flow.
Hope that helps,
Carter
On Sep 17, 2010, at 9:55 AM, Rafael Barbosa wrote:
> Hi,
>
> I have some questions regarding the flow definition in argus.
>
> I generated imported a pcap file into argus (argus -r file.pcap > file.argus) so I have flow records being generated every 5s intervals. I used racluster() (racluster -r file-merged.argus) to merge the flow information, so the fields TotBytes and TotPkts actually represent the total of bytes and pkts for a given flow record, and not the total in 5s intervals. However for my surprise some flows also had the value at the field Trans changed (values up to 15467 transactions). Now the questions:
>
> - What does the value of Trans mean in this case? Is it the number of records merged?
> - How does argus decide the end of flow?
>
> Thanks,
> Rafael Barbosa
> http://www.vf.utwente.nl/~barbosarr/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100917/d4517a9b/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100917/d4517a9b/attachment.bin>
More information about the argus
mailing list