Argus concatenates flows that have the same 5-tuple

Andrews Carl 448 Carl.Andrews at crackerbarrel.com
Wed Jul 9 09:27:51 EDT 2014


unsubscribe

________________________________
From: argus-info-bounces+carl.andrews=crackerbarrel.com at lists.andrew.cmu.edu [mailto:argus-info-bounces+carl.andrews=crackerbarrel.com at lists.andrew.cmu.edu] On Behalf Of Carter Bullard
Sent: Wednesday, July 09, 2014 8:26 AM
To: New Ever
Cc: Argus
Subject: Re: [ARGUS] Argus concatenates flows that have the same 5-tuple

If the server is reusing the ports, then by default if
you racluster data across boots, it will aggregate them.

You can use the racluster.conf file to specify idle times if that is
how you want to specify how the flows are different.

You can use rabins, instead of racluster, and control the scope of the
aggregation, say hourly, or daily.

If there are flows that are specific to the reboot, you can use the
flow splitmode of rasplit() to segment the data for aggregation.

Something like
   rasplit -M flow "arp and src host ip.addr.of.host and dst host ip.addr.of.host"

This will split the records between arp'ing for its own address, which
is decent indication of a reboot.

Carter


On Jul 8, 2014, at 7:18 PM, New Ever <new44ever at yahoo.com<mailto:new44ever at yahoo.com>> wrote:

Hi,

Assume a PC with certain IP connects to a server ==> TCP flow record 1
then the PC is shutdown and start up again after some time and connect again to the server ==> TCP flow record 2
Due to the source port reuse, ra/racluster aggregate the two record in one record making error in all Argus field specially Endtime and rate

How I can force ra to separate between the two record?

Thanks

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140709/14a70c9b/attachment.html>


More information about the argus mailing list