Problems with racluster
Rafael Barbosa
rrbarbosa at gmail.com
Wed Aug 29 09:22:41 EDT 2012
Hi all,
I am having some problems with a weird aggregation decision by racluster,
which inverts the server/client roles (i.e., the direction field). This
what happens:
$> argus -r f2 -w f2.argus
$> ra -r f2.argus
21:09:30.971095 e tcp 172.31.1.100.10500 ?>
172.31.1.102.61722 1 66 CON
21:11:52.493919 e * tcp 172.31.1.102.61722 ->
172.31.1.100.10500 23 6838 FIN
$> racluster -r f2.argus -f racluster.conf
21:09:30.971095 e * tcp 172.31.1.100.10500 ->
172.31.1.102.61722 24 6904 FIN
$> cat racluster.conf
filter="" status=0 idle=300
The pcap from which I generated f2.argus is attached to this message. The
'f2' pcap file is rather peculiar with duplicated frames and is a fragment
of a larger capture where TCP ports are re-used in consecutive connections,
but it is not a "toy" file, it was captured in a real network environment.
My goal is to generate flow records with a 300s timeouts, and label hosts
as servers and clients. Any thoughts on why this inversion happens, and how
I can work around it?
Thanks for the help,
Rafael Barbosa
http://www.ewi.utwente.nl/~barbosarr/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120829/5115f582/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: f2
Type: application/octet-stream
Size: 7312 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120829/5115f582/attachment.obj>
More information about the argus
mailing list