A bug and a question

Rafael Barbosa rrbarbosa at gmail.com
Fri Feb 11 09:49:37 EST 2011 

I managed to make a small patch to racluster() to some my question. My
impression was that racluster was comparing the value "idle" (read from
racluster.conf) with the duration of the flow, instead of calculating the
flow idle time. This is what I've done:

--- clients/racluster.c.old 2011-02-11 15:31:31.000000000 +0100
+++ clients/racluster.c 2011-02-11 15:32:55.000000000 +0100
@@ -545,7 +545,7 @@
                   RaSendArgusRecord(tns);
                   ArgusZeroRecord(tns);
                } else {
-                  dur = ((tnslt > nslt) ? tnslt : nslt) - ((nsst < tnsst) ?
nsst : tnsst);
+                  dur = ((nsst > tnsst) ? nsst : tnsst) - ((tnslt < nslt) ?
tnslt : nslt);
                   if (agg->idleint && (dur >= agg->idleint)) {
                      RaSendArgusRecord(tns);
                      ArgusZeroRecord(tns);

I did not do intensive testing, but not it seems that racluster() is
behaving as I expected.

Regarding the bug, I still don't know why version 3.0.3.19 does not report
the start time correctly though.

Best regards,
Rafael Barbosa
http://www.vf.utwente.nl/~barbosarr/



On Fri, Feb 11, 2011 at 10:50 AM, Rafael Barbosa <rrbarbosa at gmail.com>wrote:

> Hi all,
>
> First my question: I've been playing around with racluster.conf to get a
> simple aggregation based on a time out period. What I want is to generate
> one flow record (5-tuple) every time a flow is idle (no traffic) for
> 5minutes or more. For that I used the following racluster.conf:
>
> filter="" status=0 idle=300
>
> In my test file (sample.pcap/sample.argus, attached) I have one single flow
> between two hosts that spans over almost 50 min. With the conf file above I
> expected to have only one record, as the flow is never idle for more that 5
> min. However I have 10 records as output, never bigger than 300 seconds.
> Is that the expected behavior? If so, how can I generate the output I want
> with argus?
>
>
> Now the bug:
> When using ra() version 3.0.3.19 to read sample.argus, the last record is
> displayed *without* a start time. ra() version 3.0.2 displays the start time
> correctly.
> When using clients version 3.0.3.19:
> $ racluster -r sample.argus -w sample.racluster
> $ ra  -r  sample.racluster
> ra[22170]: 10:47:58.899768 ArgusGenerateRecord: time format
> incorrect:388356
>
> Again version 3.0.2, does not have this problem
>
> Rafael Barbosa
> http://www.vf.utwente.nl/~barbosarr/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20110211/1be34f8e/attachment.html>

More information about the argus mailing list