The "state" field of ra output

Carter Bullard carter at qosient.com
Tue Oct 22 00:19:37 EDT 2002


Hey Andrew,
   Thanks for pointing out the problem with the ra.1 manpage.
I've changed it to suggest that using the -z or -Zb options
are needed to indicate the exact state of the TCP.

Sorry for any inconvenience,

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 588-9133
Fax   +1 212 588-9134
http://qosient.com
 



> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu 
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of 
> Russell Fulton
> Sent: Monday, October 21, 2002 11:32 PM
> To: Andrew Pollock
> Cc: argus-info at lists.andrew.cmu.edu
> Subject: Re: The "state" field of ra output
> 
> 
> On Tue, 2002-10-22 at 15:56, Andrew Pollock wrote:
> > On Tue, Oct 22, 2002 at 03:44:46PM +1300, Russell Fulton wrote:
> > 
> > [snip]
> > 
> > > Not exactly, a RST in the status field says that that the session 
> > > was terminated by an RST.  I.e. it may have been established and 
> > > transferred 100MB of data via scp and then terminated by a RST 
> > > rather than an FIN.
> > 
> > This part of the ra manpage may need clarification:
> > 
> >  Thu 12/29 06:40:32     tcp  132.3.31.15.6200  <|  
> 12.23.14.77.25   RST
> >        This  tcp  transaction  from  the  smtp   port   of   host
> >        12.23.14.77 was RESET, indicating that the transaction was
> >        denied.
> 
> ummmm... this is accurate in so far as it goes.  For SMTP and 
> some other protocols a RESET from the server is a fairly good 
> indication that the service was denied.  As a general rule it 
> is not so hot.
> 
> -- 
> Russell Fulton, Computer and Network Security Officer
> The University of Auckland,  New Zealand
> 
> "It aint necessarily so"  - Gershwin
> 
> 



More information about the argus mailing list