The direction field
Craig Merchant
cmerchant at responsys.com
Mon Jun 10 15:18:51 EDT 2013
Carter, thanks for such a thorough reply to my last post. I haven't had a chance to digest it all yet, but I certainly will.
I have a question about the direction field. I saw an older post from November of last year about how the Netflow protocol can make it hard for Argus to determine direction because the unidirectional flow records can appear in reverse order with the same timestamp.
Are there any similar issues impacting traffic sniffed from the wire? We use rastream to collect our data:
/usr/local/bin/rastream -S 10.230.174.40:561 -M time 5m -B 10s -w /ssd/argus/%s.argus -f /usr/local/argus/rastream.sh
The rastream.sh script launches multiple instances of racluster and then eventually a saved search in Splunk to index the output of racluster.
I'm seeing something like 60% of my flows with a direction of "<?>" or "?>" (virtually all of them on TCP traffic). I've run tools to analyze the pf_ring DNA/libzero drivers and the packet loss on the 10g link is pretty minimal. I'm just trying to understand why Argus is having difficulties figuring out the direction of those flows. I'm also not clear on what the "?>" and "<?" signify for the direction.
Thanks!
Craig
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130610/1dd28e60/attachment.html>
More information about the argus
mailing list