Filter rule confusion

[Andrew Pollock]

Hi,

It would seem that I've got myself confused over flows and filter rules 
and how Argus works in general (again).

I must be totally thick.

Anyway, I have this situation:

Client network is 172.16.6/24
Argus collection point above their gateway.
Remote proxy server they use is 172.16.2.100
There are Some other external hosts that I want to exclude counting 
inbound traffic from

I want to determine all inbound traffic to this network. I've got lots of 
lovely Argus logs from a span port on the switch that this network is 
connected to.

I would have thought that a filter rule of "dst net 10.15.6/24" and then
looking at the src bytes would have given me a broad overview of how much
inbound traffic there was, however, it seems that I'm not looking at a lot
of the traffic by doing this. All the traffic between the client network
and the proxy server only shows up when I use a filter rule of "src net
10.15.6/24". Given that the connections to the proxy server are always
initiated FROM the client network TO the proxy server, this does make some
sense to me. However, I'm only interested in the inbound data as a result
of that outbound initiated flow. How do I get this? Should I be using a
filter rule of just "net 10.15.6/24"? Do I then look at the src bytes or
dst bytes to establish how much data came in, regardless of the direction
of the initial flow?

I thought I had this under control, from previous dumb questions, but it 
seems I've haven't. It's fine for working out the inbound traffic to a 
single webserver, I've just been going "dst webserver" and then looking at 
the src bytes, but for a gateway with lots of bidirectional traffic, I'm 
at a loss again.

Sigh. Sorry to be a pain.

Andrew