Problems with racluster
Rafael Barbosa
rrbarbosa at gmail.com
Wed Sep 12 05:19:12 EDT 2012
Hi Carter,
I am still having problems with the patch. My aggregation strategy is the
same:
$> cat racluster.conf
#Filter:every record, no record status output, record time out 5min
filter="" status=0 status=60 idle=300
However I see some records aggregated by subnetwork(?!). If I run:
$> ~/workspace/argus-clients-3.0.7.1-patch2/bin/racluster -r preagg.argus
-f racluster.conf -s saddr,sport,dir,daddr,dport
One of the lines read:
172.31.0.0.* -> 172.31.0.0.*
I will upload preagg.argus to the ftp.
Best regards,
Rafael Barbosa
http://www.ewi.utwente.nl/~barbosarr/
On Mon, Sep 10, 2012 at 5:42 PM, Rafael Barbosa <rrbarbosa at gmail.com> wrote:
> Hi again,
>
> Ok. That makes sense to me.
>
> My goal was to have a TCP flow == 1 record and I assumed because of the
> SYN and FIN packets these records would not be aggregated. But I think the
> output of racluster is now sufficient for my purposes.
>
> Best regards,
> Rafael Barbosa
> http://www.ewi.utwente.nl/~barbosarr/
>
>
> On Mon, Sep 10, 2012 at 3:13 PM, Carter Bullard <carter at qosient.com>wrote:
>
>> Hey Rafael,
>> I believe that its now working as advertised.
>>
>> Your " f1 " is done at 15:09:30.971092 and " f2 "
>> starts at 15:11:52.493899, which is
>> only 141.522 seconds of idle time. So you're racluster.conf strategy
>> should only generate
>> 1 flow record. If you want to see status records at shorter intervals,
>> but have the 300
>> second idle time, add something to your status timer value, like 60 or
>> 120 seconds.
>>
>> Carter
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120912/db76201a/attachment.html>
More information about the argus
mailing list