How long does a flow needs to stay inactive before any resumption in activity is reported as a new flow
Huy N. Hang
hangh at cs.ucr.edu
Tue May 10 17:09:28 EDT 2011
Perfect!
Thank you much for your very helpful response!
On 05/10/2011 01:52 PM, Carter Bullard wrote:
> Hey Huy,
> Regarding flow inactivity timers. There are different timers for different types of flows; tcp, udp, ..... The timer values are chosen to minimize the memory use or to better track specific protocols. Most are 60 secs, the default for TCP is 120 secs, to match the fin wait state 2 timer. For flows where we have only seen 1 packet the timer is 5 secs (if I remember correctly). In argus-3.0.4+ all the timers are configurable in the /etc/argus.conf file.
>
> If a flow is idle beyond the inactivity timer, argus removes its cache, and any new packets will be tracked as a new flow.
>
> Carter
>
> On May 10, 2011, at 1:52 PM, "Huy N. Hang"<hangh at cs.ucr.edu> wrote:
>
>> Hello there,
>>
>> I just started using Argus yesterday, and I am very happy with how easy it is to use Argus.
>>
>> I only have one question about the flow aggregation within Argus, and I've read the manuals without being certain of what I found. And the question is how long a flow needs to stay inactive before it is concluded as finished and any resumption is considered as a new flow?
>>
>> Does Argus use such a metric at all in its packet-to-flow aggregation?
>>
>> Thanks!
>>
>>
>>
More information about the argus
mailing list