FlowScan w/argus?

Carter Bullard carter at qosient.com
Fri Jan 11 18:35:20 EST 2002 

Hey Dave,
   There are 6 ICMP INFO types:
      Echo
      Timestamp
      Information Request
      Address Mask Request
      Mobile Registration Request
      Domain Name Request

   Argus generates connected flows for these packet types
   by strictly matching request/reply pairs.  Argus will
   report the Request type, when there are bi-directional
   ICMP flows, because of Argus's theoretical connection
   model, which uses the first packet as the flow determinate.
   Argus corrects the case when packets come in out of order,
   so the theoretical model holds even when the first packet
   is the ICMP INFO reply.  Response packets must fit the
   strict connection flow model that Argus enforces, so you
   explicitly know what type the return traffic must have been.

   Good to hear that you've gotten this far so quickly.
   If you need any assistance, don't hesitate to email/call.

Have a great weekend!!!

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 588-9133
Fax   +1 212 588-9134
http://qosient.com
      

> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu 
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of 
> Dave Plonka
> Sent: Friday, January 11, 2002 4:09 PM
> To: argus-info at lists.andrew.cmu.edu
> Subject: Re: FlowScan w/argus?
> 
> 
> On Wed, Jan 09, 2002 at 04:48:48PM -0500, Carter Bullard wrote:
> > Ok, lets get terminology down so we can communicate effectively.
> > Argus generates argus records, ra* programs collect, aggregate
> > process and manage streams, files, archives of argus data.
> 
> Ah, now I see what you mean.  Previously, in my Cflow and FlowScan
> documentation, I referred to any software package that wrote raw flow
> records to files as a "flow collector", which doesn't match the argus
> terminology.
> 
> Perhaps I'll change my documentation to refer to "cflowd", flow-tools'
> "flow-capture", and "argus" as "flow file sources", since 
> they can each
> be the source of the time-stamped raw flow files that are input to
> FlowScan.
> 
> > You want to work with a ra* (read argus)* style program.
> 
> OK, things are coming along pretty well.  I have a working version of
> the Cflow perl module now that can read "argus.out" files directly and
> grok argus records.  I'll release it (announcing in this list) after I
> do some more testing.
> 
> There is one bit I haven't figured out yet:
> 
> In my "process_icmp" call-back function, I found the "forward" ICMP
> type and code (src -> dst) but not the "reverse" (dst -> src) type and
> code in the argus record.
> 
> When process_icmp handles an argus record with a non-zero
> argus->argus_far.dst.count, does that count always represent ECHOREPLY
> packets?  Or are there sometimes other ICMP types that are 
> counted from
> dst -> src?
> 
> To ask another way, does Argus store any kinds of ICMP flows 
> other than
> ECHO/ECHOREPLY bidirectionally?  From my reading of the 
> "raxml.c" code,
> I only see it referring to a single ICMP type and code value per
> argus_far structure.  Is ECHOREPLY implied for the dst -> src count?
> 
> Thanks,
> Dave 
> 
> -- 
> plonka at doit.wisc.edu  http://net.doit.wisc.edu/~plonka  
> ARS:N9HZF  Madison, WI
> 
>

More information about the argus mailing list