Problems with racluster
Rafael Barbosa
rrbarbosa at gmail.com
Thu Sep 13 05:09:09 EDT 2012
Hi Carter,
I still see some records aggregated by subnet (?!), with the same
racluster.conf.
I will upload 2 more files (preagg2.argus and preagg3.argus) where I see
the bug.
Rafael Barbosa
http://www.ewi.utwente.nl/~barbosarr/
On Wed, Sep 12, 2012 at 3:42 PM, Rafael Barbosa <rrbarbosa at gmail.com> wrote:
> Hi Carter,
>
> The new version seems to have solved the issue. As a bonus, is also seems
> to have solved the direction bug when the SYN packet is missing I reported
> in another thread.
>
> I will start some larger tests and let you know if I run in other issues.
>
> Thanks!
> Rafael Barbosa
> http://www.ewi.utwente.nl/~barbosarr/
>
>
>
> On Wed, Sep 12, 2012 at 2:34 PM, Carter Bullard <carter at qosient.com>wrote:
>
>> Hey Rafael,
>> Try this version of argus-clients-3.0.7.2. Had to modify too many files
>> to send a simple patch.
>> Should do the trick.
>> Carter
>>
>>
>>
>> On Sep 12, 2012, at 5:19 AM, Rafael Barbosa <rrbarbosa at gmail.com> wrote:
>>
>> Hi Carter,
>>
>> I am still having problems with the patch. My aggregation strategy is the
>> same:
>> $> cat racluster.conf
>> #Filter:every record, no record status output, record time out 5min
>> filter="" status=0 status=60 idle=300
>>
>> However I see some records aggregated by subnetwork(?!). If I run:
>> $> ~/workspace/argus-clients-3.0.7.1-patch2/bin/racluster -r preagg.argus
>> -f racluster.conf -s saddr,sport,dir,daddr,dport
>>
>> One of the lines read:
>> 172.31.0.0.* -> 172.31.0.0.*
>>
>> I will upload preagg.argus to the ftp.
>>
>> Best regards,
>> Rafael Barbosa
>> http://www.ewi.utwente.nl/~barbosarr/
>>
>>
>>
>> On Mon, Sep 10, 2012 at 5:42 PM, Rafael Barbosa <rrbarbosa at gmail.com>wrote:
>>
>>> Hi again,
>>>
>>> Ok. That makes sense to me.
>>>
>>> My goal was to have a TCP flow == 1 record and I assumed because of the
>>> SYN and FIN packets these records would not be aggregated. But I think the
>>> output of racluster is now sufficient for my purposes.
>>>
>>> Best regards,
>>> Rafael Barbosa
>>> http://www.ewi.utwente.nl/~barbosarr/
>>>
>>>
>>> On Mon, Sep 10, 2012 at 3:13 PM, Carter Bullard <carter at qosient.com>wrote:
>>>
>>>> Hey Rafael,
>>>> I believe that its now working as advertised.
>>>>
>>>> Your " f1 " is done at 15:09:30.971092 and " f2 "
>>>> starts at 15:11:52.493899, which is
>>>> only 141.522 seconds of idle time. So you're racluster.conf strategy
>>>> should only generate
>>>> 1 flow record. If you want to see status records at shorter intervals,
>>>> but have the 300
>>>> second idle time, add something to your status timer value, like 60 or
>>>> 120 seconds.
>>>>
>>>> Carter
>>>>
>>>>
>>>>
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120913/e1f7f26d/attachment.html>
More information about the argus
mailing list