racount and src/dst byte counts

Carter Bullard carter at qosient.com
Tue Sep 25 15:48:07 EDT 2001 

Hey Desmond,
   Remember, argus is a flow monitor, so everything it
does is on a flow basis.  This really holds true for
the src and dst determinations.  Who is the source of
this TCP connection, or this DNS transaction, or this
multicast stream.  By removing the relative aspects
of source and dst, you get two Argus's, no matter
where they are placed, generating the same results,
which is really important.

   Argus bases its determination of source on a pretty
simple strategy. The source for TCP traffic is who
initiated the TCP connection, who sent the SYN, or
who received the SYN_ACK.  For other IP traffic, its
who sent the first packet (with some boundary restrictions).
There are some issues with this strategy, and as a
result, if you look at ra() output, you'll sometimes see
a '?' in the direction indicator, telling us that argus
doesn't know who the source is, but this is its best
guess.

   So the source is who initiated the flow.

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 588-9133
Fax   +1 212 588-9134
http://qosient.com


> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu 
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of 
> Desmond Irvine
> Sent: Tuesday, September 25, 2001 3:08 PM
> To: argus-info at lists.andrew.cmu.edu
> Subject: racount and src/dst byte counts
> 
> 
> I'm trying to wrap my head around what the src/dst byte 
> counts mean when
> doing an racount on a particular host.  I have a machine that 
> I suspect
> is using a large amount of bandwidth so I decided to look at 
> what it was
> doing with argus:
> 
> racount -n -r argus - host 142.55.aa.bb
> 
> racount    records       total_pkts         src_pkts        
> dst_pkts      total_bytes        src_bytes        dst_bytes
>     sum         28           245427            81899          
> 163528        181195205          4917335        176277870
> 
> ra -n -r argus - host 142.55.aa.bb
> 
> shows connectivity mainly from one remote host 199.212.cc.dd
> 
> racount -n -r argus - host 199.212.cc.dd
> 
> racount    records       total_pkts         src_pkts        
> dst_pkts      total_bytes        src_bytes        dst_bytes
>     sum         16           245290            81830          
> 163460        181180324          4909808        176270516
> 
> ra -n -r argus - host 199.212.cc.dd
> 
> shows only connections to the one local machine 142.55.aa.bb
> 
> What confuses me is the dst_bytes values - they're both pretty much
> the same for each machine.  Shouldn't one list the total under
> src_bytes and the other under dst_bytes?
> 
> Looking via another tool (ntop) shows the local machine sending the
> data to the remote machine.
> 
> Desmond.
> 
> -- 
> Desmond Irvine                Security Analyst, Information Technology
> Sheridan College              Phone: 905-845-9430 x2035
> 1430 Trafalgar Road           Fax: 905-815-4011
> Oakville, ON  L6H 2L1         EMail: desmond.irvine at sheridanc.on.ca
>

More information about the argus mailing list