Argus concatenates flows that have the same 5-tuple

Carter Bullard carter at qosient.com
Wed Jul 9 19:27:19 EDT 2014 

Use argus-3.0.8 release candidates.  They are stable enough for production.

   http://qosient.com/argus/dev/argus-latest.tar.gz
   http://qosient.com/argus/dev/argus-clients-latest.tar.gz

Carter

On Jul 9, 2014, at 7:13 PM, New Ever <new44ever at yahoo.com> wrote:

> Thanks Carter,
> 
> I try your solution and I edit racluster.conf and add [filter="tcp or udp"    model="saddr daddr proto dport"             status=30  idle=120], but I get syntax error.
> 
> I use argus-3.0.6, and argus-clients-3.0.6
> 
> 
> On Wednesday, July 9, 2014 3:26 PM, Carter Bullard <carter at qosient.com> wrote:
> 
> 
> If the server is reusing the ports, then by default if
> you racluster data across boots, it will aggregate them.
> 
> You can use the racluster.conf file to specify idle times if that is
> how you want to specify how the flows are different.
> 
> You can use rabins, instead of racluster, and control the scope of the
> aggregation, say hourly, or daily.
> 
> If there are flows that are specific to the reboot, you can use the
> flow splitmode of rasplit() to segment the data for aggregation.
> 
> Something like
>    rasplit -M flow “arp and src host ip.addr.of.host and dst host ip.addr.of.host”
> 
> This will split the records between arp’ing for its own address, which
> is decent indication of a reboot.
> 
> Carter
> 
> 
> On Jul 8, 2014, at 7:18 PM, New Ever <new44ever at yahoo.com> wrote:
> 
>> Hi,
>> 
>> Assume a PC with certain IP connects to a server ==> TCP flow record 1
>> then the PC is shutdown and start up again after some time and connect again to the server ==> TCP flow record 2
>> Due to the source port reuse, ra/racluster aggregate the two record in one record making error in all Argus field specially Endtime and rate
>> 
>> How I can force ra to separate between the two record?
>> 
>> Thanks
> 
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140709/04307552/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140709/04307552/attachment.sig>

More information about the argus mailing list