argus question?

[Carter Bullard]

Hey Tu,
   The "<o>" indicator is used to convey two pieces of
information, 1) who is the source and destination, and
2) what is the state of the network connection.

   For TCP is Argus see's any part of the initial TCP
handshake, then it really knows who originated the
TCP.  This is important.  Without this information,
you have to rely on port numbers to try to determine
who originated the TCP, and this is unreliable.  When
Argus knows the direction, it will indicate it using
the "<" or ">" arrows.  When it doesn't know, it will
use both.  So first indicator is that Argus doesn't
know who started this TCP connection.

   Argus thinks that it understands TCP, and so it
will track the connection until the protocol actually
closes (FIN -> FIN_ACK -> ACK) or (RST -> ACK), or
it will stop when the connection has been idle for
a given TIMEOUT.  In your case, these connections were
idle for the default TCP Timeout value, which is
120 seconds.  TCP has a number of states,
and the character at the center of the "<o>" indicator
tries to convey these states.  The values are:

   '-'  Normal connected
   'o'  Timed Out
   '|'  Reset connection 'the arrow will indicate who sent the RST'
   '?'  No origination or state information available.

   So in the final analysis, you probably have some persistent
TCP connections that were idle for more than 120 seconds, burst
for a while and then go idle again.  In your file you may
have many reports for the same TCP connection, representing
the times where it was active and then idle.

   The program raconnections() will merge these records back
together, to generate a single record for the single connection.

Hope this helps,

Carter



> -----Original Message-----
> From: Tu Nguyen [mailto:nguyen at ucalgary.ca]
> Sent: Wednesday, March 22, 2000 10:42 AM
> To: wcb at sei.cmu.edu
> Subject: argus question?
> 
> 
> 
> Dear Carter:
>  Thanks for offering argus for the world. I find it extremely
> useful for our University. I have few questionable
> transactions from the argus dump  that not adequately explained 
> by the man page. Could you help explain the "<o>", time out in 
> both direction? What does this symbol mean?
> Thanks
> Here are examples:
> 
> Thu 03/16 08:59:03      tcp   213.6.124.182.11285 <o> 
> 136.159.61.59.1249  TIM
> Thu 03/16 08:59:03      tcp   213.6.124.182.11286 <o> 
> 136.159.61.58.1766  TIM
> Thu 03/16 08:59:03      tcp   213.6.124.182.11287 <o> 
> 136.159.61.230.1565  TIM
> Thu 03/16 08:59:03      tcp   213.6.124.182.11288 <o> 
> 136.159.61.128.1587  TIM
> Thu 03/16 08:59:03      tcp   213.6.124.182.11289 <o> 
> 136.159.61.97.1422  TIM
> Thu 03/16 08:59:03      tcp   213.6.124.182.11290 <o> 
> 136.159.61.99.1068  TIM
> Thu 03/16 08:59:03      tcp   213.6.124.182.11291 <o> 
> 136.159.61.39.1885  TIM
> Thu 03/16 08:59:03      tcp   213.6.124.182.11292 <o> 
> 136.159.61.179.1776  TIM
> Thu 03/16 08:59:03      tcp   213.6.124.182.11293 <o> 
> 136.159.61.58.1594  TIM
> 
> -- 
> Tu Nguyen                               Information Technologies 
> The University of Calgary               voice: (403)220-5155
> UCS, 2500 University DR NW, Calgary,AB  fax  : (403)282-9199
> Canada, T2N-1N4             email:  nguyen at acs.ucalgary.ca
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20000323/2e2b9667/attachment.html>