Problems with racluster

Carter Bullard carter at qosient.com
Wed Sep 12 08:34:23 EDT 2012 

Hey Rafael,
Try this version of argus-clients-3.0.7.2. Had to modify too many files to send a simple patch.
Should do the trick.
Carter



On Sep 12, 2012, at 5:19 AM, Rafael Barbosa <rrbarbosa at gmail.com> wrote:

> Hi Carter,
> 
> I am still having problems with the patch. My aggregation strategy is the same:
> $> cat racluster.conf 
> #Filter:every record, no record status output, record time out 5min
> filter="" status=0 status=60 idle=300
> 
> However I see some records aggregated by subnetwork(?!). If I run:
> $> ~/workspace/argus-clients-3.0.7.1-patch2/bin/racluster -r preagg.argus -f racluster.conf -s saddr,sport,dir,daddr,dport
> 
> One of the lines read:
> 172.31.0.0.*         ->         172.31.0.0.*
> 
> I will upload preagg.argus to the ftp.
> 
> Best regards,
> Rafael Barbosa
> http://www.ewi.utwente.nl/~barbosarr/
> 
> 
> 
> On Mon, Sep 10, 2012 at 5:42 PM, Rafael Barbosa <rrbarbosa at gmail.com> wrote:
> Hi again,
> 
> Ok. That makes sense to me. 
> 
> My goal was to have a TCP flow == 1 record and I assumed because of the SYN and FIN packets these records would not be aggregated. But I think the output of racluster is now sufficient for my purposes.
> 
> Best regards,
> Rafael Barbosa
> http://www.ewi.utwente.nl/~barbosarr/
> 
> 
> On Mon, Sep 10, 2012 at 3:13 PM, Carter Bullard <carter at qosient.com> wrote:
> Hey Rafael,
> I believe that its now working as advertised.  
> 
> Your " f1 " is done at 15:09:30.971092 and " f2 " starts at 15:11:52.493899,  which is
> only 141.522 seconds of idle time.  So you're racluster.conf strategy should only generate
> 1 flow record.  If you want to see status records at shorter intervals, but have the 300
> second idle time, add something to your status timer value, like 60 or 120 seconds.
> 
> Carter
> 
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120912/6734183d/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: argus-clients-3.0.7.2.tar.gz
Type: application/x-gzip
Size: 2494674 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120912/6734183d/attachment.bin>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120912/6734183d/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2589 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120912/6734183d/attachment-0001.bin>

More information about the argus mailing list