Problems with racluster

Tue Sep 25 05:56:37 EDT 2012

Hi again,

I still see some subnetwork aggregation. Most of it at roughly the same
time, so hopefully they are caused by the same bug. Same config as before.

The error appear when running:
$> ~/workspace/argus-clients-3.0.7.2-patch/bin/racluster -r part1 part2 -f
~/config/racluster.conf

I see another subnet aggregation later in the trace, but I am having
problems replicating it in a small test. I will try again when I get some
more free time.

I uploaded parts.tar.gz containing part1 and part2 to the ftp.

Rafael Barbosa
http://www.ewi.utwente.nl/~barbosarr/

On Wed, Sep 19, 2012 at 5:11 AM, Carter Bullard <carter at qosient.com> wrote:

> Hey Rafael and Harika,
> Use this racluster.c with your argus-clients-3.0.7.2, to see if it solves
> that last direction problem you reported.
> Thanks !!!!
>
> Carter
>
>
>
> On Sep 13, 2012, at 5:09 AM, Rafael Barbosa <rrbarbosa at gmail.com> wrote:
>
> Hi Carter,
>
> I still see some records aggregated by subnet (?!), with the same
> racluster.conf.
> I will upload 2 more files (preagg2.argus and preagg3.argus) where I see
> the bug.
>
> Rafael Barbosa
> http://www.ewi.utwente.nl/~barbosarr/
>
>
>
> On Wed, Sep 12, 2012 at 3:42 PM, Rafael Barbosa <rrbarbosa at gmail.com>wrote:
>
>> Hi Carter,
>>
>> The new version seems to have solved the issue. As a bonus, is also seems
>> to have solved the direction bug when the SYN packet is missing I reported
>> in another thread.
>>
>> I will start some larger tests and let you know if I run in other issues.
>>
>> Thanks!
>> Rafael Barbosa
>> http://www.ewi.utwente.nl/~barbosarr/
>>
>>
>>
>> On Wed, Sep 12, 2012 at 2:34 PM, Carter Bullard <carter at qosient.com>wrote:
>>
>>> Hey Rafael,
>>> Try this version of argus-clients-3.0.7.2. Had to modify too many files
>>> to send a simple patch.
>>> Should do the trick.
>>> Carter
>>>
>>>
>>>
>>> On Sep 12, 2012, at 5:19 AM, Rafael Barbosa <rrbarbosa at gmail.com> wrote:
>>>
>>> Hi Carter,
>>>
>>> I am still having problems with the patch. My aggregation strategy is
>>> the same:
>>> $> cat racluster.conf
>>> #Filter:every record, no record status output, record time out 5min
>>> filter="" status=0 status=60 idle=300
>>>
>>> However I see some records aggregated by subnetwork(?!). If I run:
>>> $> ~/workspace/argus-clients-3.0.7.1-patch2/bin/racluster -r
>>> preagg.argus -f racluster.conf -s saddr,sport,dir,daddr,dport
>>>
>>> One of the lines read:
>>> 172.31.0.0.*         ->         172.31.0.0.*
>>>
>>> I will upload preagg.argus to the ftp.
>>>
>>> Best regards,
>>> Rafael Barbosa
>>> http://www.ewi.utwente.nl/~barbosarr/
>>>
>>>
>>>
>>> On Mon, Sep 10, 2012 at 5:42 PM, Rafael Barbosa <rrbarbosa at gmail.com>wrote:
>>>
>>>> Hi again,
>>>>
>>>> Ok. That makes sense to me.
>>>>
>>>> My goal was to have a TCP flow == 1 record and I assumed because of the
>>>> SYN and FIN packets these records would not be aggregated. But I think the
>>>> output of racluster is now sufficient for my purposes.
>>>>
>>>> Best regards,
>>>> Rafael Barbosa
>>>> http://www.ewi.utwente.nl/~barbosarr/
>>>>
>>>>
>>>> On Mon, Sep 10, 2012 at 3:13 PM, Carter Bullard <carter at qosient.com>wrote:
>>>>
>>>>> Hey Rafael,
>>>>> I believe that its now working as advertised.
>>>>>
>>>>> Your " f1 " is done at 15:09:30.971092 and " f2 "
>>>>> starts at 15:11:52.493899,  which is
>>>>> only 141.522 seconds of idle time.  So you're racluster.conf strategy
>>>>> should only generate
>>>>> 1 flow record.  If you want to see status records at shorter
>>>>> intervals, but have the 300
>>>>> second idle time, add something to your status timer value, like 60 or
>>>>> 120 seconds.
>>>>>
>>>>> Carter
>>>>>
>>>>>
>>>>>
>>>
>>>
>>>
>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120925/64bd927a/attachment.html>