argus structures...

Carter Bullard carter at qosient.com
Thu Jun 21 22:14:59 EDT 2001 

Always questions!
The -z option prints out the Argus states, which cover
the entire flow. The -Z option prints out the accumulated
TCP flag bits for both halves of the flow. The value is
derived just as it is for Netflow records, you just OR
the bits into the value for every packet in the flow.
That's why there are src and dst components to the -Z flag.

The -z option is more precise that the -Z flag, as it
tells you the actual states that the TCP progressed through.
But seeing the actual flags can help discover TCP
protocol non-conformity.

Carter



> -----Original Message-----
> From: Chris Newton [mailto:newton at unb.ca] 
> Sent: Thursday, June 21, 2001 10:12 PM
> To: Carter Bullard; argus
> Subject: argus structures...
> 
> 
> Hi Carter...  Probably a wrong time to ask... but, I was 
> wondering about 
> something.
> 
>   These two, entries....
> 
>       -z  Print Argus TCP state changes for each tcp 
> transaction. Values are
>              's' - Syn Transmitted
>              'S' - Syn Acknowledged
>              'E' - TCP Established
>              'f' - Fin Transmitted  (FIN Wait State 1)
>              'F' - Fin Acknowledged (FIN Wait State 2)
>              'R' - TCP Reset
> 
> 
>      -Z  <s|d|b> Print actual TCP flag values. <'s'rc | 'd'st 
> | 'b'oth>.
>              'F' - Fin
>              'S' - Syn
>              'R' - Reset
>              'P' - Push
>              'A' - Ack
>              'U' - Urgent Pointer
>              '7' - Undefined 7th bit set
>              '8' - Undefined 8th bit set
> 
>   Now, the part I dont understand is the -Z <s|d|b> option, 
> since it seems to 
> be telling us about individual packet information, not for a 
> flow.  Ie: a flow 
> doesnt have the Ack bit set, a packet does.. and there are 
> multiple packets 
> per flow (usually :)).  So, in a normal flows, say... a http 
> transaction, what 
> does the output from this option refer to?  Also, how does 
> this tie into the 
> above -z command?  Is -z meant to be used in a 'so far in the 
> flow, we have 
> see the following activities', during the argus_flow_status 
> record printing?
> 
> Thanks,
> 
> Chris
> 
> _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/
> 
> Chris Newton, Systems Analyst
> Computing Services, University of New Brunswick
> newton at unb.ca 506-447-3212(voice) 506-453-3590(fax)
> 
> "The best way to have a good idea is to have a lot of ideas." 
> Linus Pauling (1901 - 1994) US chemist
> 
>

More information about the argus mailing list