'normal' filter primitive

Carter Bullard carter at qosient.com
Tue Sep 3 08:30:20 EDT 2002 

Hey Wozz,
Sorry for the late response, but holiday called.  "normal"
is basically normal events (SYN, SYN_ACK, data),
closing (FIN or FIN_ACK) and no resets.

argus tracks the entire TCP state machine, from a 3rd parties
perspective, which generates an interesting set of TCP states
and reporting values.  Argus is trying to build a single
state for the whole TCP.  Of course the TCP state machine
is composed of two independent states for the two involved
parties, which can diverge due to reachability problems (packet
loss) and state problems.  So, as an example, one side sends a SYN,
it goes into SYN_SENT state, but the receiver is in LISTEN state
until it receives the SYN, putting it into SYN_RECEIVED state, but
the overall TCP is just in INITIATING or SYN_SENT mode.

Because argus is tracking both sides of the connection, it
can discern what state the two entities must be in based on
the flow flags, so it saw a SYN and a SYN_ACK, so at least
one side of the TCP is in TCPS_ESTABLISHED state, argus tracks
it as SYN_SENT.  I've tried to outline them below (normal
events/no errors/no resets/that sort of thing):

    Normal TCP State        TCP Event    Argus TCP State
      TCPS_LISTEN                         None
      TCPS_SYN_SENT           SYN ->      ARGUS_SAW_SYN
      TCPS_SYN_RECEIVED     
      TCPS_ESTABLISHED     <- SYN_ACK     ARGUS_SAW_SYN_SENT
                           <-  Data  ->   ARGUS_CON_ESTABLISHED

      TCPS_CLOSING            FIN ->      ARGUS_FIN
      TCPS_FIN_WAIT_1                     ARGUS_FIN_WAIT_1
      TCPS_LAST_ACK        <- FIN_ACK     ARGUS_FIN_ACK
      TCPS_FIN_WAIT_2                     ARGUS_FIN_WAIT_2
      TCPS_TIME_WAIT
      TCPS_CLOSED                         ARGUS_NORMAL_CLOSED
      
'normal', means normal close, where argus is generating
the status record because the state machine has it closing,
(any of the states after seeing a FIN) and there wasn't
a reset event.

Hope this helps.  Please send any comments/whatever if 
something seems out of place.


Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street
Suite 18K
New York, New York 10022

+1 212 588-9133 Phone
+1 212 588-9134 Fax


> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu 
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of 
> wozz+argus at wookie.net
> Sent: Tuesday, August 27, 2002 3:53 PM
> To: argus-info at lists.andrew.cmu.edu
> Subject: 'normal' filter primitive
> 
> 
> Is there any documentation on the stateful filter primitives? 
> Specifically, I'm trying to figure out what the 'normal' 
> primitive is for.
> 
>

More information about the argus mailing list