How to read ra() output
Andrew Pollock
andrew-argus at andrew.net.au
Tue Oct 22 01:59:39 EDT 2002
Hi,
I'm trying to make some sense of some ra() output.
I've generated it like this:
rasort -F excel.rc -r logfile - host interestinghost
Where excel.rc is the example file provided with the Argus clients
distribution.
I'm then dragging the output into Excel so I can look at it easier.
I'm seeing lots of connections from the host I'm interested in to my
proxy server. The state column is either FIN or CON. I'm equating this to
the status field that is documented in the ra(1) manpage.
>From the ra(1) it says you don't see the EST state unless your running
your server in DETAIL mode. I couldn't find any further references to
DETAIL mode in argus(8) or argus.conf(1) (and shouldn't that be in section
5 btw?)
I've got zeros in the SrcPkt and SrcBytes column and varying values in the
DstPkt and DstBytes columns.
I would have thought that given I'm looking at proxy traffic flows, I'd
see some packets from the source (i.e. the GET request), followed by the
content being returned by the proxy server. Where's my GET request? Is it
tangled up in the EST record that I'm not seeing? All the records for
flows between the host I'm interested in and the proxy server have zero in
the source packets and bytes field.
If I'm looking at a record that has a FIN state, and it's the only record
for that source IP and port to the destination and port, is it fair to say
that everything that happened in that flow is reported in that one record?
Andrew
More information about the argus
mailing list