Aggregation problems with racluster -m proto
Rafael Barbosa
rrbarbosa at gmail.com
Wed Feb 16 05:47:33 EST 2011
Hi,
I found a problem when checking the values returned by racluster -m proto
(v. 3.0.3.22). The values for the "arp" protocol are wrong and the value for
"llc" changes after a simple aggregation.
Using the attached files, you can reproduce the error with theses steps:
racluster -m proto -r file.argus -s proto pkts bytes -L0 > proto
racluster -r file.argus -w file.argus.merged -f racluster.conf
racluster -m proto -r file.argus.merged -s proto pkts bytes -L0 >
proto.merged
The example file (file.argus) contains several records for arp flows, so the
output is wrong for both cases (proto and proto.merged). Moreover, the
packet and byte counts for "arp" and "llc" does not remain the same after
agrregation (proto != proto.merged).
Best regards,
Rafael Barbosa
http://www.vf.utwente.nl/~barbosarr/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20110216/afa65b0a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: file.argus
Type: application/octet-stream
Size: 257124 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20110216/afa65b0a/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: racluster.conf
Type: application/octet-stream
Size: 96 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20110216/afa65b0a/attachment-0001.obj>
More information about the argus
mailing list