racluster 3.0.6 vs 3.0.8 default aggregation?

Patrick Forsberg via Argus-info argus-info at lists.andrew.cmu.edu
Tue Dec 20 04:31:58 EST 2016 

Hi,

I'm going nuts over aggregation in 3.0.6 and 3.0.8 and realize that I obviously haven't understood a thing.

Given a simple UDP flow between two hosts
# ra -X -r /tmp/ratest 
         StartTime      Flgs  Proto            SrcAddr  Sport   Dir            DstAddr  Dport  TotPkts   TotBytes State 
   09:04:56.941624  e           udp          100.0.1.1.42461     ->          100.0.2.1.59307         1         77   INT
   09:04:57.064776  e           udp          100.0.2.1.59307     ->          100.0.1.1.42461         1         62   INT

Simply running racluster with no configuration files (-X) gives different results on 3.0.6 and 3.0.8

#  /usr/local/src/Argus/argus-clients-3.0.6/bin/racluster -X -s+trans -r /tmp/ratest
         StartTime      Flgs  Proto            SrcAddr  Sport   Dir            DstAddr  Dport  TotPkts   TotBytes State  Trans 
   09:04:56.941624  e           udp          100.0.1.1.42461    <->          100.0.2.1.59307         2        139   CON      2

#  /usr/local/src/Argus/argus-clients-3.0.8/bin/racluster -X -s+trans -r /tmp/ratest
         StartTime      Flgs  Proto            SrcAddr  Sport   Dir            DstAddr  Dport  TotPkts   TotBytes State  Trans 
   09:04:56.941624  e           udp          100.0.1.1.42461     ->          100.0.2.1.59307         1         77   INT      1
   09:04:57.064776  e           udp          100.0.2.1.59307     ->          100.0.1.1.42461         1         62   INT      1

It seems that 3.0.6 has the "expected behavior" for me.

Running 3.0.8 with "-M correct" gives the same result as for 3.0.6

#  /usr/local/src/Argus/argus-clients-3.0.8/bin/racluster -X -M correct -s+trans -r /tmp/ratest
         StartTime      Flgs  Proto            SrcAddr  Sport   Dir            DstAddr  Dport  TotPkts   TotBytes State  Trans 
   09:04:56.941624  e           udp          100.0.1.1.42461    <->          100.0.2.1.59307         2        139   CON      2

This implies that 3.0.8 doesn't use the classic 5-tuple (what is the classic 5-tuple by the way?) and I thought I was on to something until I tried

#  /usr/local/src/Argus/argus-clients-3.0.8/bin/racluster -X -m saddr daddr sport dport -M correct -s+trans -r /tmp/ratest
         StartTime      Flgs  Proto            SrcAddr  Sport   Dir            DstAddr  Dport  TotPkts   TotBytes State  Trans 
   09:04:56.941624  e           udp          100.0.1.1.42461     ->          100.0.2.1.59307         1         77   INT      1
   09:04:57.064776  e           udp          100.0.2.1.59307     ->          100.0.1.1.42461         1         62   INT      1

Now all of a sudden "-M correct" doesn't seem to help in aggregating the records.

What am I missing here?

/Patrick

More information about the argus mailing list