'normal' filter primitive
wozz+argus at wookie.net
wozz+argus at wookie.net
Tue Sep 3 13:09:12 EDT 2002
On Tue, Sep 03, 2002 at 08:30:20AM -0400, Carter Bullard wrote:
> Hey Wozz,
> Sorry for the late response, but holiday called. "normal"
> is basically normal events (SYN, SYN_ACK, data),
> closing (FIN or FIN_ACK) and no resets.
This is what I expected, however, it doesn't seem to be working for me.
Example:
$ ra -T 15 -S localhost -w /tmp/test
ra: Trying localhost port 561 Expecting Argus records
ra: connected
$
$ ra -r /tmp/test - normal | wc -l
0
$ ra -r /tmp/test - \(syn and synack and data and fin and finack\) and not reset | wc -l
1406
$ ra -r /tmp/test | wc -l
1644
$ ra -r /tmp/test - not normal | wc -l
1644
$
The argus running on localhost is running as:
argus -c -P 561 -B 127.0.0.1 -d
This is all on a Solaris 8 system. I've noticed no other strangeness (that
wasn't caused by me at least ;) with argus on this system.
Am I missing something, or is it not working as expected?
> Normal TCP State TCP Event Argus TCP State
> TCPS_LISTEN None
> TCPS_SYN_SENT SYN -> ARGUS_SAW_SYN
> TCPS_SYN_RECEIVED
> TCPS_ESTABLISHED <- SYN_ACK ARGUS_SAW_SYN_SENT
> <- Data -> ARGUS_CON_ESTABLISHED
>
> TCPS_CLOSING FIN -> ARGUS_FIN
> TCPS_FIN_WAIT_1 ARGUS_FIN_WAIT_1
> TCPS_LAST_ACK <- FIN_ACK ARGUS_FIN_ACK
> TCPS_FIN_WAIT_2 ARGUS_FIN_WAIT_2
> TCPS_TIME_WAIT
> TCPS_CLOSED ARGUS_NORMAL_CLOSED
>
> 'normal', means normal close, where argus is generating
> the status record because the state machine has it closing,
> (any of the states after seeing a FIN) and there wasn't
> a reset event.
>
This is a helpful reference I'll keep around. Thanks!
More information about the argus
mailing list