Established connections
Carter Bullard
carter at qosient.com
Fri Aug 2 13:29:49 EDT 2002
Hey Wozz,
"tcp and est and not \(fin or finack or reset\)"
you'll want to use ragator first to merge
all the flows together and then:
ragator -w - -r file | ra tcp and est and not \(fin or finack or
reset\)
to pick out the open flows.
Carter
> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of
> wozz at 0xdeadbeef.org
> Sent: Monday, July 29, 2002 1:57 PM
> To: argus-info at lists.andrew.cmu.edu
> Subject: Established connections
>
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> If my assumption is correct, The 'est' keyword in a filter is
> going to show me flows that were established. Is there a way
> to only show flows that are CURRENTLY established? In other
> words, the connection was established, and no fin/rst has
> been received? Would ragator do a better job of this?
> -----BEGIN PGP SIGNATURE-----
> Version: Hush 2.1
> Note: This signature can be verified at https://www.hushtools.com
>
> wlsEARECABsFAj1FgkAUHHdvenpAMHhkZWFkYmVlZi5vcmcACgkQ1vK8vFo3sjzkZwCa
> A5X9RDXR32REKwoqu7ojfx+RngQAn1x6n6cpB1N10QskwwnUlp7T20Tk
> =FcPj
> -----END PGP SIGNATURE-----
>
>
>
More information about the argus
mailing list