racount and src/dst byte counts
Desmond Irvine
desmond.irvine at sheridanc.on.ca
Wed Sep 26 11:45:36 EDT 2001
How does racount decide which side (src or dst) to add the bytes to?
The transaction I was looking at was from what I suspect is some sort
of peer to peer file sharing tool. ra listed a bunch of connections
of the form:
25 Sep 01 13:59:07 tcp 199.212.cc.dd.32862 -> 142.55.aa.bb.6891 EST
>From this I would assume the flow was from the external machine to the
local machine so I expected racount for the local machine to show the
larger amount of bytes on the dst side and the external machine to show
it on the src side. Regardless of what racount considered src and dst
I expect only one machine to be considered the dst; racount showing both
on the dst side doesn't seem to make sense to me.
Carter Bullard wrote:
>
> Hey Desmond,
> Remember, argus is a flow monitor, so everything it
> does is on a flow basis. This really holds true for
> the src and dst determinations. Who is the source of
> this TCP connection, or this DNS transaction, or this
> multicast stream. By removing the relative aspects
> of source and dst, you get two Argus's, no matter
> where they are placed, generating the same results,
> which is really important.
>
> Argus bases its determination of source on a pretty
> simple strategy. The source for TCP traffic is who
> initiated the TCP connection, who sent the SYN, or
> who received the SYN_ACK. For other IP traffic, its
> who sent the first packet (with some boundary restrictions).
> There are some issues with this strategy, and as a
> result, if you look at ra() output, you'll sometimes see
> a '?' in the direction indicator, telling us that argus
> doesn't know who the source is, but this is its best
> guess.
>
> So the source is who initiated the flow.
>
> Carter
>
> Carter Bullard
> QoSient, LLC
> 300 E. 56th Street, Suite 18K
> New York, New York 10022
>
> carter at qosient.com
> Phone +1 212 588-9133
> Fax +1 212 588-9134
> http://qosient.com
>
> > -----Original Message-----
> > From: owner-argus-info at lists.andrew.cmu.edu
> > [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of
> > Desmond Irvine
> > Sent: Tuesday, September 25, 2001 3:08 PM
> > To: argus-info at lists.andrew.cmu.edu
> > Subject: racount and src/dst byte counts
> >
> >
> > I'm trying to wrap my head around what the src/dst byte
> > counts mean when
> > doing an racount on a particular host. I have a machine that
> > I suspect
> > is using a large amount of bandwidth so I decided to look at
> > what it was
> > doing with argus:
> >
> > racount -n -r argus - host 142.55.aa.bb
> >
> > racount records total_pkts src_pkts
> > dst_pkts total_bytes src_bytes dst_bytes
> > sum 28 245427 81899
> > 163528 181195205 4917335 176277870
> >
> > ra -n -r argus - host 142.55.aa.bb
> >
> > shows connectivity mainly from one remote host 199.212.cc.dd
> >
> > racount -n -r argus - host 199.212.cc.dd
> >
> > racount records total_pkts src_pkts
> > dst_pkts total_bytes src_bytes dst_bytes
> > sum 16 245290 81830
> > 163460 181180324 4909808 176270516
> >
> > ra -n -r argus - host 199.212.cc.dd
> >
> > shows only connections to the one local machine 142.55.aa.bb
> >
> > What confuses me is the dst_bytes values - they're both pretty much
> > the same for each machine. Shouldn't one list the total under
> > src_bytes and the other under dst_bytes?
> >
> > Looking via another tool (ntop) shows the local machine sending the
> > data to the remote machine.
> >
> > Desmond.
> >
> > --
> > Desmond Irvine Security Analyst, Information Technology
> > Sheridan College Phone: 905-845-9430 x2035
> > 1430 Trafalgar Road Fax: 905-815-4011
> > Oakville, ON L6H 2L1 EMail: desmond.irvine at sheridanc.on.ca
> >
--
Desmond Irvine Security Analyst, Information Technology
Sheridan College Phone: 905-845-9430 x2035
1430 Trafalgar Road Fax: 905-815-4011
Oakville, ON L6H 2L1 EMail: desmond.irvine at sheridanc.on.ca
More information about the argus
mailing list