The "state" field of ra output

Russell Fulton r.fulton at auckland.ac.nz
Mon Oct 21 22:44:46 EDT 2002


On Tue, 2002-10-22 at 15:30, Andrew Pollock wrote:
> Greetings,
> 
> I'm investigating some monthly totals for a particular IP address that are 
> significantly higher than anticipated, by running ra over the same data 
> and just having a bit of a squiz at what it says happened.
> 
> I'm seeing lots of SSH connections from one of our monitoring hosts, which
> is expected, however the State column has RST, which according to the 
> manpage examples for ra() implies that the connections were denied. I know 
> for a fact that the connections aren't being denied, because my monitoring 
> would be saying inbound SSH to this IP was unavailable if it was.

Not exactly, a RST in the status field says that that the session was
terminated by an RST.  I.e. it may have been established and transferred
100MB of data via scp and then terminated by a RST rather than an FIN.

Use -Ac to get packet and databyte counts. 


> 
> I'm wondering if the monitoring check isn't closing the SSH connection
> cleanly, and it's issuing a reset. I haven't yet done some analysis with 
> tcpdump to verify this.
> 
> I'm wondering how you can determine which side of the connection issued 
> the reset, and if my theory above holds water, this changes the 
> interpretation of the ra output somewhat, doesn't it?

The direction arrow -> tells you the direction of the RST.

You can also use -Zb to get all the flags displayed in the status
field.  I use this all the time (I added it to argus so I'm biased ;-)

Cheers, Russell

-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

"It aint necessarily so"  - Gershwin



More information about the argus mailing list