Argus concatenates flows that have the same 5-tuple

Carter Bullard carter at qosient.com
Wed Jul 9 09:26:11 EDT 2014


If the server is reusing the ports, then by default if
you racluster data across boots, it will aggregate them.

You can use the racluster.conf file to specify idle times if that is
how you want to specify how the flows are different.

You can use rabins, instead of racluster, and control the scope of the
aggregation, say hourly, or daily.

If there are flows that are specific to the reboot, you can use the
flow splitmode of rasplit() to segment the data for aggregation.

Something like
   rasplit -M flow “arp and src host ip.addr.of.host and dst host ip.addr.of.host”

This will split the records between arp’ing for its own address, which
is decent indication of a reboot.

Carter


On Jul 8, 2014, at 7:18 PM, New Ever <new44ever at yahoo.com> wrote:

> Hi,
> 
> Assume a PC with certain IP connects to a server ==> TCP flow record 1
> then the PC is shutdown and start up again after some time and connect again to the server ==> TCP flow record 2
> Due to the source port reuse, ra/racluster aggregate the two record in one record making error in all Argus field specially Endtime and rate
> 
> How I can force ra to separate between the two record?
> 
> Thanks

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140709/c5646caf/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140709/c5646caf/attachment.sig>


More information about the argus mailing list