How to read ra() output

[Andrew Pollock]

On Tue, Oct 22, 2002 at 08:16:33AM -0400, Carter Bullard wrote:
> Hey Andrew,
> > Hi,
> [snip]
> > 
> > >From the ra(1) it says you don't see the EST state unless 
> > your running
> > your server in DETAIL mode. I couldn't find any further references to 
> > DETAIL mode in argus(8) or argus.conf(1) (and shouldn't that 
> > be in section 
> > 5 btw?)
> 
> Earlier versions of argus had a DETAIL mode, which generated argus
> records on any flow state transition.  This was removed when we
> went from 1.x to 2.0.  It was really for demonstration purposes,
> more than anything, since it generated so many records.  I've
> just removed all references to DETAIL in the ra.1 man page.
> Man pages generally haven't been high on the maintenance list.
> But I'm very glad that you're helping to point out these problems.

No problem, thanks for clearing that one up for me.
 
> argus.conf(5) now reports that its argus.conf.5.
> 
> > 
> > I've got zeros in the SrcPkt and SrcBytes column and varying 
> > values in the 
> > DstPkt and DstBytes columns.
> 
> Seems that you're only seeing one-half of the traffic?  Argus
> can make the REQ/INT, EST/CON, FIN/RST/TIM determination for
> TCP traffic when looking at only one half of the connection.

Eeek. I'll investigate this further. From another host (the one doing the 
SSH checks that I mentioned in another email) I'm seeing byte counts in 
both directions, so it's not an across the board problem.

> > 
> > I would have thought that given I'm looking at proxy traffic 
> > flows, I'd 
> > see some packets from the source (i.e. the GET request), 
> > followed by the 
> > content being returned by the proxy server. Where's my GET 
> > request? Is it 
> > tangled up in the EST record that I'm not seeing? All the records for 
> > flows between the host I'm interested in and the proxy server 
> > have zero in 
> > the source packets and bytes field.
> 
> Argus generates status records, that is, records that report the
> activity of existing and continuing flows based on a status timer.
> This timer, by default, is 60 seconds.  If a flow's lifetime is
> less that this, then all the traffic for that flow/transaction will
> be contained in a single record.

Ah, okay. So that said, if a proxy server transaction lasts less than one 
minute, you'd see one record, most probably with a FIN state, with bytes 
in both directions?

> > 
> > If I'm looking at a record that has a FIN state, and it's the 
> > only record 
> > for that source IP and port to the destination and port, is 
> > it fair to say 
> > that everything that happened in that flow is reported in 
> > that one record?
> 
> There are a number of possible reasons why you would only be
> seeing 1/2 of the transaction traffic.  Asymmetric routing, NAT
> and incomplete port mirroring (assuming you're getting your packets
> from a switch/router) are high candidates.

So I suppose if I run a tcpdump on the same host as Argus and look at the
traffic contents, and am I seeing the GET requests for this proxy server
traffic, but Argus isn't, then I've got myself some serious problems?

Andrew