Huge argus files and racluster
Peter Van Epp
vanepp at sfu.ca
Thu Feb 9 17:14:16 EST 2012
On Thu, Feb 09, 2012 at 10:46:39AM +0100, Marco wrote:
<snip>
>
> I had tried that indeed, but I thought that one could do it "on the
> fly" (ie, just add "-M rmon" to the client, and add a filter on
> src/dst/etc in the same command), while it turns out that you have to
> explicitly write a new argus file from the -M rmon output, and then
> run subsequent commands on that new file. It even looks like you don't
> need the MAC information, at least in the few tests I've done so far.
>
> Thanks!
I believe that the clients (unlike the perl scripts) do need to write
the rmon data to a file first then process that (presumably a quirk in when
filtering takes place although I haven't looked). You will need to filter
either on MAC or an address range to tie the argus data to direction on the
wire correctly though. Argus treats the source as whoever started the
connection without regard to direction on the wire and thus sometimes that
direction will be wrong unless it is tied to something (such as the gateway
MAC) that is tied to direction on the wire. Good luck!
Peter Van Epp
More information about the argus
mailing list