Effects of racluster()
Carter Bullard
carter at qosient.com
Mon Apr 22 11:32:01 EDT 2013
Hey Dave,
By default, racluster() add's the srcid to the 5-tuple key fields, to create
its aggregation key model. If you specify the key model, and don't include
the srcid, then there are possibilities for you to merge records together from
different observation domains.
The single routine that merges two argus records together, ArgusMergeRecords(),
is in the file ./common/argus_client.c. This routine merges records on a DSR basis,
and the srcid field is in the ARGUS_TRANSPORT_DSR, which has a source id and
a sequence number. If the srcid's are compatible and not equal, we should throw
the ARGUS_TRANSPORT_DSR away, so that there isn't a srcid any longer.
When you merge records together that have user data, we concatenate the
user data until we reach the user data limit defined by the originating argus.
The ARGUS_USERDATA_DSR has the number of bytes captured, and the
maximum number of bytes allowed by the srcid. This is more because of how
user data buffers are created and copied. We can add a rarc variable if you
want to override that value. Currently the physical limit is 32K for user data
storage per argus record.
Carter
On Apr 22, 2013, at 8:37 AM, "Dave Edelman" <dedelman at iname.com> wrote:
> In general, I do have srcid set in my flow records. If I do not use srcid as
> a key for racluster, which srcid is retained if I have simultaneous flow
> records with the same keys (asymmetrical routing) that are then aggregated
> into a single record?
>
> What is aggregated for suser and duser in racluster output when flow records
> are aggregated and my normal setting of a 2048 byte limit is exceeded?
>
> --Dave
>
>
>
More information about the argus
mailing list