How to read ra() output
Carter Bullard
carter at qosient.com
Tue Oct 22 16:48:55 EDT 2002
[snip]
> >
> > Argus generates status records, that is, records that report the
> > activity of existing and continuing flows based on a status timer.
> > This timer, by default, is 60 seconds. If a flow's lifetime is less
> > that this, then all the traffic for that flow/transaction will be
> > contained in a single record.
>
> Ah, okay. So that said, if a proxy server transaction lasts
> less than one
> minute, you'd see one record, most probably with a FIN state,
> with bytes
> in both directions?
Because of the variability of os's and TCP stacks, don't assume
FIN, could bet FIN or RST or TIM. If there was connectivity, then
you expect bytes in both directions.
>
> > >
> > > If I'm looking at a record that has a FIN state, and it's the
> > > only record
> > > for that source IP and port to the destination and port, is
> > > it fair to say
> > > that everything that happened in that flow is reported in
> > > that one record?
> >
> > There are a number of possible reasons why you would only be seeing
> > 1/2 of the transaction traffic. Asymmetric routing, NAT and
> > incomplete port mirroring (assuming you're getting your
> packets from a
> > switch/router) are high candidates.
>
> So I suppose if I run a tcpdump on the same host as Argus and
> look at the traffic contents, and am I seeing the GET
> requests for this proxy server traffic, but Argus isn't, then
> I've got myself some serious problems?
Yes that would be a real problem!
Carter
More information about the argus
mailing list