How to read ra() output

Carter Bullard carter at qosient.com
Tue Oct 22 08:16:33 EDT 2002 

Hey Andrew,
> Hi,
[snip]
> 
> >From the ra(1) it says you don't see the EST state unless 
> your running
> your server in DETAIL mode. I couldn't find any further references to 
> DETAIL mode in argus(8) or argus.conf(1) (and shouldn't that 
> be in section 
> 5 btw?)

Earlier versions of argus had a DETAIL mode, which generated argus
records on any flow state transition.  This was removed when we
went from 1.x to 2.0.  It was really for demonstration purposes,
more than anything, since it generated so many records.  I've
just removed all references to DETAIL in the ra.1 man page.
Man pages generally haven't been high on the maintenance list.
But I'm very glad that you're helping to point out these problems.

argus.conf(5) now reports that its argus.conf.5.

> 
> I've got zeros in the SrcPkt and SrcBytes column and varying 
> values in the 
> DstPkt and DstBytes columns.

Seems that you're only seeing one-half of the traffic?  Argus
can make the REQ/INT, EST/CON, FIN/RST/TIM determination for
TCP traffic when looking at only one half of the connection.

> 
> I would have thought that given I'm looking at proxy traffic 
> flows, I'd 
> see some packets from the source (i.e. the GET request), 
> followed by the 
> content being returned by the proxy server. Where's my GET 
> request? Is it 
> tangled up in the EST record that I'm not seeing? All the records for 
> flows between the host I'm interested in and the proxy server 
> have zero in 
> the source packets and bytes field.

Argus generates status records, that is, records that report the
activity of existing and continuing flows based on a status timer.
This timer, by default, is 60 seconds.  If a flow's lifetime is
less that this, then all the traffic for that flow/transaction will
be contained in a single record.

> 
> If I'm looking at a record that has a FIN state, and it's the 
> only record 
> for that source IP and port to the destination and port, is 
> it fair to say 
> that everything that happened in that flow is reported in 
> that one record?

There are a number of possible reasons why you would only be
seeing 1/2 of the transaction traffic.  Asymmetric routing, NAT
and incomplete port mirroring (assuming you're getting your packets
from a switch/router) are high candidates.

> 
> Andrew
>

More information about the argus mailing list