Provided by: argus-client_2.0.6.fixes.1-3_amd64 
NAME
ragator.conf - ragator flow model definitions.
COPYRIGHT
Copyright (c) 2000-2002 QoSient. All rights reserved.
SYNOPSIS
ragator.conf
DESCRIPTION
Programs that perform flexible aggregation of argus data, such as ragator(1) and radium(8), can be configured to aggregate using arbitrary flow models. This configuration file provides a syntax for flow matching and aggregation model assignments on a per flow basis, allowing for highly flexible aggregation strategies on a single argus stream. The configuration file is structured as a set of initialization variables, and then followed by a collection of flow descriptors and model definitions. The concept is that one identifies specific Argus Flow Activity Records through specification of an Argus flow descriptor matching statement.
OPTIONS
The aggregation clients have a small number of options for controlling specific aspects of aggregation
function and output.
RAGATOR_MODEL_NAME
Ragator configurations can be named. This is important for ra* aggregation pprograms that support
multiple concurrent models at a time, so you can tell them apart. This is completely optional.
RAGATOR_REPORT_AGGREGATION
Ragator, when it merges argus records together, adds a new aggregation metric to the resulting record,
which reports on the number of records that were merged together and provides some additional statistical
values that provide record arrival rates and mean record durations. By setting this option to "no", you
can have ragator() not provide this metric. This is useful when creating full-duplex records from half-
duplex merging operations.
RAGATOR_REPORT_AGGREGATION=yes
RAGATOR_PRESERVE_FIELDS
All aggregation clients have the ability to detect when a flow descriptor would not be modified during
the aggregation process. This is valuable information when attempting to discover trends. However, some
applications may want the resulting output to completely conform to the new flow definitions. In order
to force ragator() like programs to convert flow descriptions to the new flow model descriptors, set this
option to "no".
RAGATOR_PRESERVE_FIELDS=yes
RAGATOR_AUTOCORRECTION
When aggregating Argus records together, all aggregation clients have the ability to autocorrect the
assignment of flow initiator and receiver. This is important for processing Argus records derived from
Cisco Netflow style flow monitors, and for Argus records that were generated by long lived flows that
have extended idle periods. Because it is possible for ra* aggregation clients to receive half-duplex
flow records, or multiple flow records for the same long live flow, autocorrecting the argus records
allows the client aggregation process to match A -> B and B -> A records that belong to the same flow.
With certain flow aggregation models, however, the autocorrection logic can cause aggregation errors. As
a result, when providing custom aggregation models, autocorrection is disabled by default.
If you would like to re-enable the autocorrection function, set this variable to "yes";
RAGATOR_AUTOCORRECTION=no
AGGREGATION CONFIGURATION
Argus record flow descriptors are compared to the flow descriptor matching statements in sequential, or
"fall through", order, much like existing Access Control List definitions supported by routers, switches
and firewalls.
The matching statement references a flow model that is used to modify the flow description of each Argus
record. Records are aggregated based on the modified flow descriptor that results from applying the
flow model that is refererenced in the matching flow descriptor matching statement.
In each flow descriptor matching statement is a TimeOut period, which is how long the aggregator will
hold the flow cache before reporting it, and an IdleTimeOut period, which is how long the aggregation
process will hold the flow in its cache, if there is no activity.
If a record doesn't match any statement in the configuration, then it is aggregated based on its
unmodified flow descriptor. This aggregates flow reports from the same long lived flow.
ARGUS FLOW DESCRIPTOR MATCHING STATEMENT
An Argus flow matching statement specifies values for the network protocol, the network src and dst
addresses, the transport protocol, and for TCP and UDP, the src and dst port numbers.
The supported network protocol is "ip", which represents IPv4. This field specifies the type of the
other fields in the flow descriptor. Support for arp, dhcp and ipv6 are expected soon.
The address field can be names, dot '.' notation IPv4 addresses, or CIDR addresse, which are partial dot
'.' notation addresses with a significant field indicator, using either the ':' or '/' seperators.
Proto field can be any valid IP protocol number, or the keywords, found in the /etc/protocols file. For
systems that do not support /etc/protocols, ragator() understands 'tcp', 'udp', 'icmp', and 'igmp' tokens
on its own.
Port values for 'tcp' and 'udp' flow can be any valid key word in the /etc/services file, or, of course,
actual port numbers which are 16 bit values, between 0 and 65535 (0xFFFF).
When the protocol is 'icmp', the values after the Proto field are valid ICMP type and code values. Valid
icmp types are:
echo
unreach
srcquench
redirect
timexed
timestamp
info
address
Numbers can be specified in decimal or as hex with the 0x prefix.
ARGUS AGGREGATION MODEL SPECIFIERS
Argus flow matching statements reference a specific aggregation model specifier, which describes how the
flow descriptor will be modified prior to aggregation. This entry in the aggregation configuration,
specifies what values will be preserved in the flow descriptor, and how they should be modified.
When dealing with IP flows, the source and destination address fields can be modified using mask
descriptors. Protocol values and source and destination ports, however, are simply retained, by
specifying "yes", or discarded, by specifying "no".
There can be any number of aggregation model specifiers, but they must have a unique Model id number.
EXAMPLE
Here is a configuration that aggregates and reports individual transactions twice a day, but "forgets"
each transaction if it has been idle for a full 24 hours.
#label id SAddr DAddr Proto SPort DPort Model Duration Idle
Flow 100 ip * * * * * 200 21600 43200
#label id SAddrMask DAddrMask Proto SPort DPort
Model 200 ip 255.255.255.255 255.255.255.255 yes yes yes
The Flow descriptor matching statement 100 matches all Argus records, because all the flow descriptor
fields are wildcarded, using '*'. Each record will be modified using the Model 200 defintion, which
preserves all fields, and the resulting aggregate will be held for 21600 seconds, at which time it will
be reported.
While this type of configuration is not likely to aggregate many records, it will be very good at
aggregating long lived single flows, such as persistant ping sessions between hosts, which can generate a
lot of activity data. Since this may not be what you are really after, we'll present a more complex
example.
#label id SAddr DAddr Proto SPort DPort Model Duration Idle
Flow 100 ip * * icmp echo * 300 21600 43200
Flow 102 ip 10:24 10:24 tcp * 80 201 300 300
Flow 103 ip 10:24 * tcp * 80 230 300 300
Flow 104 ip * * tcp * 80 210 300 300
Flow 101 ip * * udp * domain 201 3600 300
Flow 105 ip * * * * * 241 120 300
#TCP and UDP Flow Model Definitions
#label id SAddrMask DAddrMask Proto SPort DPort
Model 201 ip 255.255.255.255 255.255.255.255 yes no yes
Model 210 ip 255.255.255.255 255.255.255.252 yes no yes
Model 230 ip 255.0.0.0 255.255.255.255 yes no yes
Model 241 ip 0.0.0.0 0.0.0.0 yes no yes
# ICMP Flow Model Definitions
#label id SAddrMask DAddrMask Proto Type Code
Model 300 ip 255.255.255.255 255.255.255.255 yes yes yes
Argus records are matched in falling order, so you will test all Argus records against flow 100, then
101, then 102, and finally 105. Flow Id numbers are used to report syntax errors in the configuration,
and they don't have to be unique.
This configuration is designed to track pings, the clients of tcp services and the server of udp based
DNS services. All other traffic is accounted for either by protocol or lumped together. Although not a
particularly useful configuration, it is an example of how to architecture your aggregation.
Flow 100 matches all icmp echo (ping) transactions, and indicates that ragator should use FlowModel 300
to aggregate the ping transactions. The aggregate should be held for 21600 seconds (6 hours) and then
reported.
Model 300 is designed to aggregate ICMP transactions without modification. The result will be that
ragator() will aggregate only echo transactions between the same machines. Very useful for tracking
generic connectivity failure between two machines that are pinging one or the other.
Flow 102 matches all destination port 80 tcp connections where the servers and clients are both in the 10
network, and aggregates them based on Model 201, holding the aggregate for 5 minutes and then reporting
them. This is an example an aggregation scheme that will report on HTTP sessions (clumps of TCP
connections that occur in a short time range) between individual clients and their servers.
Flow 103 then matches all destination port 80 tcp connections where the clients are from the 10 network.
Model 230 will track the class A address of the clients (net 10) and keep track of the individual remote
servers.
Flow 104 then matches all of the rest of the port 80 tcp connections, which should be connections into
net 10, from non-net 10 clients. Model 210 is designed to track the traffic to a set of 4 load balanced
HTTP servers. Model 210 is designed to track the clients of services, so the src address goes unmodified
(255.255.255.255), but the servers (dst address) are going to be modifed to represent a subset of the
class C network address (255.255.255.252). basically mask off the last 2 bits in the address. The
protocol value and the dst port (in this case the service port) will be preserved, but the src port is
removed, so the individual TCP connections can be matched.
Flow 102 tracks udp based DNS transactions, aggregating them based on Flow Model 201 and holding the
aggregate for an hour (3600 secs). This strategy reports the aggregate DNS transactions between each
client and server pair. To do this, the Flow Modeler preserves everything except the source port, which
changes on each DNS request.
All other traffic is aggregated based on Flow Model 241 and reported every 12 hours. Flow Model 241 is
designed to track just the protocol, so this will generate Argus Records that have bytes and packets for
TCP and UDP and the other protocols but it will not report the addresses. This can be useful.
SEE ALSO
ragator(1) 14 November 2001 RAGATOR.CONF(5)