[ARGUS] Question about merging flows (racluster) and effect of srcid

Carter Bullard carter at qosient.com
Sat Feb 13 09:17:28 EST 2021 

Yes … it seems that I may have to modify all the aggregators (rabins, ratop, racluster, etc) to get it right …
I’ll send you a tar ball, if you don’t mind, to test rather than send diffs in the mail …
Carter

> On Feb 12, 2021, at 10:37 AM, Patrick Forsberg <fors at chalmers.se> wrote:
> 
> On 2021-02-12 15:01, Carter Bullard wrote:
> 
>> Hey Patrick,
>> Here is a fix for the racluster issue … the mod set "rather than being clever as to when to do the reverse search, just do it anyway.”
>> So in racluster.c, remove the logic to set parser->ArgusReverse and replace with “parser->ArgusReverse = 1;”.  I provided a diff below.
>> 
>> With this change to ./clients/racluster.c , you’ll need to call it as you were:
>> 
>>   racluster -m saddr daddr proto sport sport -M correct -r the.two.files.out
>> 
>> And all should be good ...
>> Carter
> 
> Thanks, that fixed the command line vs config file discrepancy.
> But without rasort, the order of the input files still affects the
> apparent direction of the flow. I still have src/dst to tell me that
> it's probably wrong when the flow is src <- dst (unless it's a flow that
> started in a previous set of files)
> 
> I just might run rasort first, it just takes longer to finish
> aggregation that way.
> 
> /Patrick
> 
>> 
>> diff --git a/clients/racluster.c b/clients/racluster.c
>> index 506fdcd..1422236 100644
>> --- a/clients/racluster.c
>> +++ b/clients/racluster.c
>> @@ -129,10 +129,7 @@ ArgusClientInit (struct ArgusParserStruct *parser)
>>          }
>>       }
>> 
>> -      if ((parser->ArgusMaskList) == NULL)
>> -         parser->ArgusReverse = 1;
>> -      else
>> -         parser->ArgusReverse = 0;
>> +      parser->ArgusReverse = 1;
>> 
>>       if (parser->ArgusFlowModelFile) {
>>          if ((parser->ArgusAggregator = ArgusParseAggregator(parser, parser->ArgusFlowModelFile, NULL)) == NULL)
>> 
>> 
>> 
>>> On Feb 12, 2021, at 3:12 AM, Patrick Forsberg <fors at chalmers.se> wrote:
>>> 
>>> On 2021-02-11 22:07, Carter Bullard wrote:
>>> 
>>>> If you were to racluster this group with “-m saddr daddr proto sport
>>>> dport”  it should stitch them together correctly … regardless of sort ...
>>>> If not,  if you wanted to share just these 6 flow records, I’d be
>>>> happy to check it out …
>>>> Carter
>>>> 
>>>> 
>

More information about the argus mailing list