Missing source port.

Carter Bullard carter at qosient.com
Wed May 9 22:37:59 EDT 2001 

Hey Russell,
   This means that the port value is 0xFFFF, which is
normally an internal flag for argus that the
source port has been "aggregated" out of the flow
definition.  Ports are not suppose to be 0xFFFF, so
it should be a safe tag, at least when everything 
is in spec.

   Ra clients actually know when something has been
aggregated, and so I can put the value back in if its
not the result of previous processing.  I'll try to
have a patch in the next few days to correct this.

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 588-9133
Fax   +1 212 588-9134
http://qosient.com

> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu
> [mailto:owner-argus-info at lists.andrew.cmu.edu]On Behalf Of Russell
> Fulton
> Sent: Wednesday, May 09, 2001 6:41 PM
> To: argus-info at lists.andrew.cmu.edu
> Subject: Missing source port.
> 
> 
> 
> 2001-05-09-21:27:35	s	tcp	202.96.142.46		
> ->	130.216.6.106	111	2	0	0	0	S
> 2001-05-09-22:21:15	s	tcp	202.96.142.46		
> ->	130.216.135.27	111	3	0	0	0	SR
> 2001-05-09-22:47:52	s	tcp	202.96.142.46		
> ->	130.216.198.155	111	3	0	0	0	SR
> 2001-05-09-22:56:50	s	tcp	202.96.142.46		
> ->	130.216.220.1	111	3	0	0	0	SR
> 
> Any idea why these records have no source port?  (this is tab 
> delimited 
> output from ra).
> 
> Here is raxml for one record:
> 
>          <Flow> <IP SrcIPAddr = "202.96.142.46" DstIPAddr = 
>                   "130.216.135.27" Proto = "tcp" Dport = "111" IpId = 
>                   "0x0" /> </Flow>
>          <FlowAttrs SrcTTL = "236" DstTTL = "0" SrcTOS = "0x0" 
>                DstTOS = "0x0" />
>          <ExtFlow> <TCPExtFlow TCPState = "SYN|RST|SRTN" TCPOptions = 
>                "MAX" SynAckuSecs = "0" AckDatauSecs = "0" >
>                    <TCPExtMetrics  SrcTCPSeqBase = "4101873286" 
>                       SrcTCPAckBytes = "0" SrcTCPBytes = "0" 
>                       SrcTCPRetrans = "1" SrcTCPWin = "8760" 
>                       SrcTCPFlags = "SR" DstTCPSeqBase = "0" 
>                       DstTCPAckBytes = "0" DstTCPBytes = "0" 
>                       DstTCPRetrans = "0" DstTCPWin = "0" 
>                       DstTCPFlags = "" />
>                   </TCPExtFlow>
>          </ExtFlow>
>          <Metrics SrcCount = "3" DstCount = "0" SrcBytes = "192" 
>               DstBytes = "0"  SrcAppBytes = "0" DstAppBytes = "0" />
>       </Far>
> 
> This traffic is part of a new type of scan I have been seeing for the 
> last few days.  It probed many thousands of addresses but only these 
> four had missing source ports.  One other factor that may be relevant 
> is that the network where this data was collected is an 
> extreamly saturated 10MB link -- DMZ upgrade to 100Mbps in 
> two week (if 
> the hubs don't mealt before that).
> 
>  I'm guessing that it is the solaris sadmin worm looking for 
> new homes 
> (when it isnt beating up our IIS servers).
> 
> Cheers, Russell.
> 
> 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20010509/900e894c/attachment.html>

More information about the argus mailing list