A bug and a question

Rafael Barbosa rrbarbosa at gmail.com
Fri Feb 11 04:50:46 EST 2011 

Hi all,

First my question: I've been playing around with racluster.conf to get a
simple aggregation based on a time out period. What I want is to generate
one flow record (5-tuple) every time a flow is idle (no traffic) for
5minutes or more. For that I used the following racluster.conf:

filter="" status=0 idle=300

In my test file (sample.pcap/sample.argus, attached) I have one single flow
between two hosts that spans over almost 50 min. With the conf file above I
expected to have only one record, as the flow is never idle for more that 5
min. However I have 10 records as output, never bigger than 300 seconds.
Is that the expected behavior? If so, how can I generate the output I want
with argus?


Now the bug:
When using ra() version 3.0.3.19 to read sample.argus, the last record is
displayed *without* a start time. ra() version 3.0.2 displays the start time
correctly.
When using clients version 3.0.3.19:
$ racluster -r sample.argus -w sample.racluster
$ ra  -r  sample.racluster
ra[22170]: 10:47:58.899768 ArgusGenerateRecord: time format incorrect:388356

Again version 3.0.2, does not have this problem

Rafael Barbosa
http://www.vf.utwente.nl/~barbosarr/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20110211/7a8ac439/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: racluster.conf
Type: application/octet-stream
Size: 28 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20110211/7a8ac439/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sample.argus
Type: application/octet-stream
Size: 44584 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20110211/7a8ac439/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sample.pcap
Type: application/octet-stream
Size: 72370 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20110211/7a8ac439/attachment-0002.obj>

More information about the argus mailing list