Problems with racluster
Rafael Barbosa
rrbarbosa at gmail.com
Mon Sep 10 11:42:25 EDT 2012
Hi again,
Ok. That makes sense to me.
My goal was to have a TCP flow == 1 record and I assumed because of the SYN
and FIN packets these records would not be aggregated. But I think the
output of racluster is now sufficient for my purposes.
Best regards,
Rafael Barbosa
http://www.ewi.utwente.nl/~barbosarr/
On Mon, Sep 10, 2012 at 3:13 PM, Carter Bullard <carter at qosient.com> wrote:
> Hey Rafael,
> I believe that its now working as advertised.
>
> Your " f1 " is done at 15:09:30.971092 and " f2 "
> starts at 15:11:52.493899, which is
> only 141.522 seconds of idle time. So you're racluster.conf strategy
> should only generate
> 1 flow record. If you want to see status records at shorter intervals,
> but have the 300
> second idle time, add something to your status timer value, like 60 or 120
> seconds.
>
> Carter
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120910/7809ea6f/attachment.html>
More information about the argus
mailing list