src and dst in ra* tools ?

Carter Bullard carter at qosient.com
Thu Jul 26 09:54:20 EDT 2001 

Hey Pierre,
   Argus is doing the right thing.  "stan" initiated the
telnet connection to "chatillon"'s telnet port.  Stan
is the source, Chatillon is the destination.  Remember
Argus is a flow monitor, not a packet monitor, so the
source and destination labels are relative to the
flow.  If you run ra() with the -c option, you will see
the number of packets and bytes that were sent in both
directions during the report interval.  Be sure and set
RA_PRINT_LABELS=0 in your .rarc file, or call ra this way:

   ra -L0 -cr /tmp/argus.out - port telnet

This will print labels out for the columns and with the
-c option, you'll see a lot more information.

   In your example, however, Argus is saying that the
source and destination may not be correct, the key is
in the "?" field.  Argus did not see the SYN or the
SYN_ACK of the telnet connection, (you may have started
argus after you started the telnet connection) and that
is why it reports the "?", Argus is guessing, and it may
not be correct.

   In this case, Argus reports the source as the host
that sent the first observed packet.  This makes sense,
since there is no way that you can know the actual source
of a TCP connection if you do not see the SYN or the
SYN_ACK packets.  If you start a telnet after you start
Argus, so that it can see all the packets, and you'll
see the "?" go away, and the source and destinations
will be correct.  In your example, Argus's guess was
correct.

   You were successful in changing the
ARGUS_FLOW_STATUS_INTERVAL to 1 second, as you are
generating flow interval reports every second, if there
is traffic to report.  Change this value to 10, 30 or
60, as I would suspect that you are not interested in
seeing flow reports every second.

   Are you running argus with any filters?
   

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 588-9133
Fax   +1 212 588-9134
http://qosient.com

> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu 
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of 
> Pierre Bourgin
> Sent: Thursday, July 26, 2001 6:34 AM
> To: argus-info at lists.andrew.cmu.edu
> Subject: src and dst in ra* tools ?
> 
> 
> Hello,
> 
> I'm trying to use argus-2.0.2beta6 under NetBSD-1.4.1/i386 and 
> NetBSD-1.5.1/i386.
> 
> Everything works fine, except one thing I don't understand in 
> the way of ra* tools :(
> 
> I made a telnet connection from box named 'stan'to host 
> 'chatillon'  and 
> generate a lot of telnet traffic by the use of this command ('inside' 
> the telnet):
> 
> while(1); find /usr/pkg ; end (under tcsh)
> 
> sniffing the connection with tcpdump shows, as expected, a lot of 
> TCP pakets from chatillon.telnet to 
> stan.<client_telnet_port>, and some 
> on the opposite way:
> 
> @chatillon:~# tcpdump host chatillon and host stan
> tcpdump: listening on tl0
> 11:20:15.039051 stan.65469 > chatillon.telnet: . ack 
> 1320826680 win 17520 [...] 11:20:15.039585 chatillon.telnet > 
> stan.65469: P 1:62(61) ack 0 win 17520 [...] 11:20:15.039710 
> chatillon.telnet > stan.65469: P 1:62(61) ack 0 win 17520 
> [...] 11:20:15.040516 stan.65469 > chatillon.telnet: P 
> 0:34(34) ack 62 win 1752  [...] 11:20:15.090220 
> chatillon.telnet > stan.65469: . ack 34 win 17520 
> <nop,nop,timestamp [...] 11:20:15.090329 chatillon.telnet > 
> stan.65469: . ack 34 win 17520 <nop,nop,timestamp [...] 
> 11:20:15.203181 chatillon.telnet > stan.65470: P
> 3680846667:3680846686(19) ack  [...]
> [...]
> 
> I put an argus daemon on hosts chatillon and stan (same 
> results), and ask it with ra tool:
> 
> @chatillon:~# ra -r /tmp/argus.out - src port telnet
> [nothing shown]
> 
> @chatillon:~# ra -r /tmp/argus.out - dst port telnet
> 26 Jul 01 11:06:27    tcp            stan.65470         ?>        
> chatillon.telnet       EST
> 26 Jul 01 11:06:28    tcp            stan.65470         ?>        
> chatillon.telnet       EST
> 26 Jul 01 11:06:29    tcp            stan.65470         ?>        
> chatillon.telnet       EST
> 26 Jul 01 11:06:30    tcp            stan.65469         ?>        
> chatillon.telnet       EST
> 26 Jul 01 11:06:30    tcp            stan.65470         ?>        
> chatillon.telnet       EST
> 26 Jul 01 11:06:31    tcp            stan.65470         ?>        
> chatillon.telnet       EST
> 26 Jul 01 11:06:33    tcp            stan.65470         ?>        
> chatillon.telnet       EST
> 26 Jul 01 11:06:34    tcp            stan.65470         ?>        
> chatillon.telnet       EST
> 
> I made other ra commands with the same result (based on host 
> name(s) and ports).
> 
> so the ra tool seems to INVERT src and dst of packets, 'cause 
> ra shows chatillon as destination 
> box of telnet packets,instead of showing it a source IP of 
> packets ? In the other hand, ra does not show any transaction 
> in the opposite direction (from chatillon to 
> stan)
> 
> I tried to change config of argus in /etc/argus.conf file (such as 
> ARGUS_FLOW_STATUS_INTERVAL=1) 
> without any success.
> 
> This strange result affect also racount command, that makes 
> impossible to count packets 
> in each direction.
> 
> Do I make a stupid mistake or is it a bug ?
> 
> Thanks for any clue or advice (like stop doing network stuff ;-)
> 
> Regards,
> 
> Pierre Bourgin
>

More information about the argus mailing list