argus structures...

[Chris Newton]

Hi Carter...  Probably a wrong time to ask... but, I was wondering about 
something.

  These two, entries....

      -z  Print Argus TCP state changes for each tcp transaction. Values are
             's' - Syn Transmitted
             'S' - Syn Acknowledged
             'E' - TCP Established
             'f' - Fin Transmitted  (FIN Wait State 1)
             'F' - Fin Acknowledged (FIN Wait State 2)
             'R' - TCP Reset


     -Z  <s|d|b> Print actual TCP flag values. <'s'rc | 'd'st | 'b'oth>.
             'F' - Fin
             'S' - Syn
             'R' - Reset
             'P' - Push
             'A' - Ack
             'U' - Urgent Pointer
             '7' - Undefined 7th bit set
             '8' - Undefined 8th bit set

  Now, the part I dont understand is the -Z <s|d|b> option, since it seems to 
be telling us about individual packet information, not for a flow.  Ie: a flow 
doesnt have the Ack bit set, a packet does.. and there are multiple packets 
per flow (usually :)).  So, in a normal flows, say... a http transaction, what 
does the output from this option refer to?  Also, how does this tie into the 
above -z command?  Is -z meant to be used in a 'so far in the flow, we have 
see the following activities', during the argus_flow_status record printing?

Thanks,

Chris

_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/

Chris Newton, Systems Analyst
Computing Services, University of New Brunswick
newton at unb.ca 506-447-3212(voice) 506-453-3590(fax)

"The best way to have a good idea is to have a lot of ideas."
Linus Pauling (1901 - 1994) US chemist