Problems with racluster

Rafael Barbosa rrbarbosa at gmail.com
Wed Sep 12 09:42:29 EDT 2012 

Hi Carter,

The new version seems to have solved the issue. As a bonus, is also seems
to have solved the direction bug when the SYN packet is missing I reported
in another thread.

I will start some larger tests and let you know if I run in other issues.

Thanks!
Rafael Barbosa
http://www.ewi.utwente.nl/~barbosarr/



On Wed, Sep 12, 2012 at 2:34 PM, Carter Bullard <carter at qosient.com> wrote:

> Hey Rafael,
> Try this version of argus-clients-3.0.7.2. Had to modify too many files to
> send a simple patch.
> Should do the trick.
> Carter
>
>
>
> On Sep 12, 2012, at 5:19 AM, Rafael Barbosa <rrbarbosa at gmail.com> wrote:
>
> Hi Carter,
>
> I am still having problems with the patch. My aggregation strategy is the
> same:
> $> cat racluster.conf
> #Filter:every record, no record status output, record time out 5min
> filter="" status=0 status=60 idle=300
>
> However I see some records aggregated by subnetwork(?!). If I run:
> $> ~/workspace/argus-clients-3.0.7.1-patch2/bin/racluster -r preagg.argus
> -f racluster.conf -s saddr,sport,dir,daddr,dport
>
> One of the lines read:
> 172.31.0.0.*         ->         172.31.0.0.*
>
> I will upload preagg.argus to the ftp.
>
> Best regards,
> Rafael Barbosa
> http://www.ewi.utwente.nl/~barbosarr/
>
>
>
> On Mon, Sep 10, 2012 at 5:42 PM, Rafael Barbosa <rrbarbosa at gmail.com>wrote:
>
>> Hi again,
>>
>> Ok. That makes sense to me.
>>
>> My goal was to have a TCP flow == 1 record and I assumed because of the
>> SYN and FIN packets these records would not be aggregated. But I think the
>> output of racluster is now sufficient for my purposes.
>>
>> Best regards,
>> Rafael Barbosa
>> http://www.ewi.utwente.nl/~barbosarr/
>>
>>
>> On Mon, Sep 10, 2012 at 3:13 PM, Carter Bullard <carter at qosient.com>wrote:
>>
>>> Hey Rafael,
>>> I believe that its now working as advertised.
>>>
>>> Your " f1 " is done at 15:09:30.971092 and " f2 "
>>> starts at 15:11:52.493899,  which is
>>> only 141.522 seconds of idle time.  So you're racluster.conf strategy
>>> should only generate
>>> 1 flow record.  If you want to see status records at shorter intervals,
>>> but have the 300
>>> second idle time, add something to your status timer value, like 60 or
>>> 120 seconds.
>>>
>>> Carter
>>>
>>>
>>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120912/c6f2974b/attachment.html>

More information about the argus mailing list