The "state" field of ra output
Andrew Pollock
andrew-argus at andrew.net.au
Mon Oct 21 22:30:03 EDT 2002
Greetings,
I'm investigating some monthly totals for a particular IP address that are
significantly higher than anticipated, by running ra over the same data
and just having a bit of a squiz at what it says happened.
I'm seeing lots of SSH connections from one of our monitoring hosts, which
is expected, however the State column has RST, which according to the
manpage examples for ra() implies that the connections were denied. I know
for a fact that the connections aren't being denied, because my monitoring
would be saying inbound SSH to this IP was unavailable if it was.
I'm wondering if the monitoring check isn't closing the SSH connection
cleanly, and it's issuing a reset. I haven't yet done some analysis with
tcpdump to verify this.
I'm wondering how you can determine which side of the connection issued
the reset, and if my theory above holds water, this changes the
interpretation of the ra output somewhat, doesn't it?
Andrew
More information about the argus
mailing list