differences between time machine and argus capturing payload

Harry Hoffman hhoffman at ip-solutions.net
Fri Apr 19 12:51:30 EDT 2013


Hi All,

So, I just got back from Educause SPC where the bro guys reminded me
about time machine (I hadn't looked at it in a really long time).

I decided to go today and have a read over it and from the description
I'm not sure that I can find the differences between time machine and
having argus store packet payload for a given N bytes.

>From the website:
"Since it is not feasible to capture the complete load of a fully
utilized Gbps link to disk, the time machine utilizes a mechanism called
"connection cutoff" to reduce the the amount of data to process. This
"connection cutoff" only records the first X bytes of every monitored
connection (identified via the 5-tupel of source and destination IP and
Port and the transport protocol). Indeed this approach it does not
impair the analysis capabilities (unless the cutoff is set to low)
because most of the "interessting" data is located in the first few
packets of a connection. The effiency of this approach comes from
leveraging the heavy-tailed nature of network traffic: because the bulk
of the traffic in high-volume streams comes from just a few connections."

Anyone using time machine and/or argus to do this and care to comment?

Cheers,
Harry



More information about the argus mailing list