Identifying server and client

Carter Bullard carter at qosient.com
Tue Apr 15 08:41:21 EDT 2003 

Hey Bill,
   With TCP, argus takes a great deal of care as
to who is the client (initiator) and who is the
server (target).

   It is all based on who initiated the TCP connection.
The src -> dst (client -> server) assignment is based
on control indicators in the TCP connection itself,
ie. who sent the initial TCP request message ("SYN")
and who sent the initial response ("SYN ACK") message.
The source/destination assignment is made whether argus
monitors both or only one of the messages.

   The source/destination assignments are reported
in the specific "src" and "dst" columns.  The "dir"
indicator provides additional information regarding
the connection and is state dependant.  If there is
a " - " in the direction field, then argus saw either
the SYN or the SYNACK message in the TCP and the
source/dest assignments are unambiguous.  If there
is a " ? " in the dir field then neither of these
TCP control messages were seen, and the arrows indicate
the direction of traffic.  When the direction is known,
the ra* programs can report additional states using
the "dir" indicator, as an example, if the connection
is reset,  the "dir" field will indicate the direction
of the RST message.

   So, if there is a " - " in the dir field, and
both parties are doing the right thing, then there
is no question that the source field contains the
address of the initiator of the TCP, and the destination
field contains the address of the TCP target.  For
client/server architectures, the source is the client,
and the destination is the server.

Hope this helps,

Carter



> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu 
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of 
> Bill McCarty
> Sent: Tuesday, April 15, 2003 4:17 AM
> To: argus-info at lists.andrew.cmu.edu
> Subject: Identifying server and client
> 
> 
> Hi all,
> 
> I've read the ra man page several times, particularly the section 
> describing the dir column. But, I can't figure out whether -- 
> and how -- 
> it's possible to distinguish the TCP client from the TCP server.
> 
> Can anyone enlighten me? Thanks!
> 
> ---------------------------------------------------
> Bill McCarty, Ph.D.
> Associate Professor of Web & Information Technology
> School of Business and Management
> Azusa Pacific University
>

More information about the argus mailing list