Argus Flow reversal with ECRs ??

Russell Fulton r.fulton at
Thu Feb 17 15:52:12 EST 2000

On Thu, 17 Feb 2000 06:37:06 -0800 Carter Bullard 
<cbullard at> wrote:

>    The idea was/is that since Echo is a strick
> Request/Response protocol, we should be able to
> infer the correct Src/Dst relationship based on
> this protocol.  Argus does not care, it simply
> tracks based on the first packet seen in a flow.
> Ra() wants to correct the condition where the
> first packet seen was an Echo Reply.  Thats why
> the arrows are drawn in the wrong direction.

Sorry, I though I was saying that the way ra currently handles it is 
OK ;-) From your reply I get the impression that you think I'm still 
complaining <grin>.

I understand what ra is trying to do with its swapping addresses around 
and that's OK by me so long as the arrow and the packet counts 
correctly show the real direction of the packet.  In the version that I 
first tried this on this was not happening so it looked as if the 
packets were incoming when in fact they were not.  The version I got 
yesterday had it right.

>    A fix is to comment out line 675 from
> common/argus_parse.c.  This will remove the
> direction reversal that ra() is doing.  A better
> fix is to test whether there are pkt counts in
> both directions, and reverse the direction then.
> This would be condition where Argus didn't see
> the first Echo Request and started tracking a
> ping flow based on the first packet being an Echo
> Reply.

I think that the best possible solution is to not do the swap unless 
there are ECO packets in the other direction.  That way neophytes won't 
get confused.

Hmmm... what should argus do when it sees a TFN master talking to a 
zombie where (I think) you have a bidirectional flow of ECR?  Sigh...

My guess is that it should report the flow as bidirectional, direction 
based on first packet seen and labeled ECR to distinguish it from a 
normal PING stream.

This stuff gets real messy when trying to record traffic that does not 
follow protocol rules.  I think this is one area that needs a lot of 
thought for the next version.  Many of us are using argus to try and 
find anomolies and protocol violations that argus was never originally 
designed to cope with.   The problem is I think, that argus was 
designed as an audit tool for legitimate traffic and many of us are now 
trying to use it as an intrusion detction tool.

What I would really like is a cross between snort and argus with a perl 
callout ;-) ;-)

i.e. something that leaves an argus-like audit trail for retrospective 
or offline analysis but also has the ability to do limited content 
analysis 'on the fly' and has the ability to capture some packet 
contents in full under program control.

Cheers, Russell.

More information about the argus mailing list