Argus concatenates flows that have the same 5-tuple
David Edelman
dedelman at iname.com
Tue Jul 8 22:48:34 EDT 2014
Are you saying that this is an unreliable connection e.g.: UDP or ICMP as
compared with TCP and there is no indication of session termination FIN/ACK
FIN/ACK? If so, what is the amount of time between the system shutdown and
the subsequent restart and reconnect?
If this is TCP, then I would expect that Argus would see the FIN/ACK -
FIN/ACK sequence and stop the aggregation correctly.
--Dave
From: argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu
[mailto:argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu] On
Behalf Of New Ever
Sent: Tuesday, July 08, 2014 7:18 PM
To: argus-info at lists.andrew.cmu.edu
Subject: [ARGUS] Argus concatenates flows that have the same 5-tuple
Hi,
Assume a PC with certain IP connects to a server ==> TCP flow record 1
then the PC is shutdown and start up again after some time and connect again
to the server ==> TCP flow record 2
Due to the source port reuse, ra/racluster aggregate the two record in one
record making error in all Argus field specially Endtime and rate
How I can force ra to separate between the two record?
Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140708/5eb1ee7c/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6283 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140708/5eb1ee7c/attachment.bin>
More information about the argus
mailing list