src and dst in ra* tools ?

Pierre Bourgin pierre.bourgin at free.fr
Thu Jul 26 06:34:18 EDT 2001 

Hello,

I'm trying to use argus-2.0.2beta6 under NetBSD-1.4.1/i386 and 
NetBSD-1.5.1/i386.

Everything works fine, except one thing I don't understand in the way
of ra* tools :(

I made a telnet connection from box named 'stan'to host 'chatillon'  and 
generate a lot of telnet traffic by the use of this command ('inside' 
the telnet):

while(1); find /usr/pkg ; end (under tcsh)

sniffing the connection with tcpdump shows, as expected, a lot of 
TCP pakets from chatillon.telnet to stan.<client_telnet_port>, and some 
on the opposite way:

@chatillon:~# tcpdump host chatillon and host stan
tcpdump: listening on tl0
11:20:15.039051 stan.65469 > chatillon.telnet: . ack 1320826680 win
17520 [...]
11:20:15.039585 chatillon.telnet > stan.65469: P 1:62(61) ack 0 win
17520 [...]
11:20:15.039710 chatillon.telnet > stan.65469: P 1:62(61) ack 0 win
17520 [...]
11:20:15.040516 stan.65469 > chatillon.telnet: P 0:34(34) ack 62 win
1752  [...]
11:20:15.090220 chatillon.telnet > stan.65469: . ack 34 win 17520
<nop,nop,timestamp [...]
11:20:15.090329 chatillon.telnet > stan.65469: . ack 34 win 17520
<nop,nop,timestamp [...]
11:20:15.203181 chatillon.telnet > stan.65470: P
3680846667:3680846686(19) ack  [...]
[...]

I put an argus daemon on hosts chatillon and stan (same results), and
ask it with ra tool:

@chatillon:~# ra -r /tmp/argus.out - src port telnet
[nothing shown]

@chatillon:~# ra -r /tmp/argus.out - dst port telnet
26 Jul 01 11:06:27    tcp            stan.65470         ?>        
chatillon.telnet       EST
26 Jul 01 11:06:28    tcp            stan.65470         ?>        
chatillon.telnet       EST
26 Jul 01 11:06:29    tcp            stan.65470         ?>        
chatillon.telnet       EST
26 Jul 01 11:06:30    tcp            stan.65469         ?>        
chatillon.telnet       EST
26 Jul 01 11:06:30    tcp            stan.65470         ?>        
chatillon.telnet       EST
26 Jul 01 11:06:31    tcp            stan.65470         ?>        
chatillon.telnet       EST
26 Jul 01 11:06:33    tcp            stan.65470         ?>        
chatillon.telnet       EST
26 Jul 01 11:06:34    tcp            stan.65470         ?>        
chatillon.telnet       EST

I made other ra commands with the same result (based on host name(s) and
ports).

so the ra tool seems to INVERT src and dst of packets, 'cause ra shows
chatillon as destination 
box of telnet packets,instead of showing it a source IP of packets ?
In the other hand, ra does not show any transaction in the opposite
direction (from chatillon to 
stan)

I tried to change config of argus in /etc/argus.conf file (such as 
ARGUS_FLOW_STATUS_INTERVAL=1) 
without any success.

This strange result affect also racount command, that makes impossible
to count packets 
in each direction.

Do I make a stupid mistake or is it a bug ?

Thanks for any clue or advice (like stop doing network stuff ;-)

Regards,

Pierre Bourgin

More information about the argus mailing list