concept of flow in Argus

Rahimeh Khodadadi rahimeh.khodadadi at gmail.com
Tue Dec 23 11:18:48 EST 2014 

Hello,

Thanks  for all your great help.






On Tue, Dec 23, 2014 at 7:42 PM, Carter Bullard <carter at qosient.com> wrote:

> Hey Rahimeh,
> The wikipedia article 'Traffic flow (computer networking)' is overly
> simple, and could be improved.
>
> Neither RFC 2722, 3697 nor 3917 provide reasonable definitions of traffic
> flow. Traffic flows don't have to be uni-directional, they don't have to be
> originated/labeled by a specific source, i.e. aggregate flows between CIDR
> addresses, nor are flows just related to network activity at the transport
> level (TCP/UCP) or the network level (IP), as you can have flows within and
> across any level of the OSI stack.
>
> For some private networks, where destination addresses are not host
> identifiers, but rather anycast identifiers for services, or where
> addresses are abstract GUID's used for large distributed index systems,
> flows are really a constraint imposed by the equipment that processes the
> traffic.  The entire SDN (software defined network) effort is designed to
> give you the ability to extended the concept of network flow to whatever
> you need it to be, to get the job done.
>
> Argus has 14 abstract flow models that it uses to classify packets into
> flows.  We have 3,4,5,6 and 7-tuple flows for specific protocols, we have
> flows that include identifiers from many layers of the OSI stack, plus, we
> have a number of P1/P2 flows, where the packet identifiers (src, dst,
> proto, ports) are not the same.  P1/P2 flows are critical for tracking
> multicast request, unicast response flows such as DHCP or ARP as an
> examples, or for tracking traffic flow status when ICMP packets are
> generated by the network or the end system.
>
> I don't think Argus can be wrong, it just has its own way of defining
> network traffic flow.  But, if its important, you can configure Argus to
> generate flow data that conforms to any of the RFC definitions of flow.  I,
> personally haven't found those definitions to be very helpful, when trying
> to do something, like catch bad guys, or fix the network.
>
> Hope this is helpful !!!
>
> Carter
>
>
> > On Dec 22, 2014, at 5:37 PM, Rahimeh Khodadadi <
> rahimeh.khodadadi at gmail.com> wrote:
> >
> > hi,
> > I have a question about a flow generation by Argus.
> > In wiki pedia has been written that "All packets with the same source
> address/port and destination address/port within a time period are
> considered as one flow."
> >
> > on contrary, in Argus, is not it, because of its features such as,
> sbytes, dbytes, total bytes, it means that flow network in Argus is done in
> 2 way ???
> >
> > Is Argus wrong?
> >
> >
> > Thanks in advance,
> > Rahimeh
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20141223/1d990f3f/attachment.html>

More information about the argus mailing list