argus manual
Carter Bullard
carter at qosient.com
Mon Sep 10 07:43:03 EDT 2012
Hey CS Lee,
Wow, thanks I'll add it now. The option is in the " argus -h " output,
and its pretty well described in the example ./support/Config/argus.conf file.
The packet size reporting provides, mean, max min and std deviation for the
packet sizes seen during the flow reporting interval, for both directions. And
when you merge records together, all the stats merge correctly, or at least that
is the design.
For networking geeks, the max packet size seen is really cool, as you can
use this to detect MTU mismatching very easily, by comparing the max size
seen from a sensor near the source ( offered packet size ), and one near the
destination ( path packet size ) to detect if there are differences.
We will have packet size distribution reporting in argus-3.0.7.x in a few months.
This is a part of the extended behavioral reporting that is coming out for argus-3.0.8,
along with inter-packet arrival time distribution reporting. Both of these are a bit
expensive to track, but are great for doing some behavioral profiling.
Carter
On Sep 10, 2012, at 2:40 AM, CS Lee <geek00l at gmail.com> wrote:
> hi Carter,
>
> -Z option is not in the argus man page, maybe you want to add it in case people may miss this great feature to report packet size in the network flow.
>
> --
> Best Regards,
>
> CS Lee<geek00L[at]gmail.com>
>
> http://geek00l.blogspot.com
> http://defcraft.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120910/3b53e147/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2589 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120910/3b53e147/attachment.bin>
More information about the argus
mailing list