Identifying server and client
Bill McCarty
bmccarty at apu.edu
Tue Apr 15 22:12:25 EDT 2003
Hi Carter,
Thanks for your prompt and helpful response. Argus works just as I'd hoped.
I merely couldn't assure myself of this by reading the man page.
Thanks!
Cheers,
--On Tuesday, April 15, 2003 8:41 AM -0400 Carter Bullard
<carter at qosient.com> wrote:
> Hey Bill,
> With TCP, argus takes a great deal of care as
> to who is the client (initiator) and who is the
> server (target).
>
> It is all based on who initiated the TCP connection.
> The src -> dst (client -> server) assignment is based
> on control indicators in the TCP connection itself,
> ie. who sent the initial TCP request message ("SYN")
> and who sent the initial response ("SYN ACK") message.
> The source/destination assignment is made whether argus
> monitors both or only one of the messages.
>
> The source/destination assignments are reported
> in the specific "src" and "dst" columns. The "dir"
> indicator provides additional information regarding
> the connection and is state dependant. If there is
> a " - " in the direction field, then argus saw either
> the SYN or the SYNACK message in the TCP and the
> source/dest assignments are unambiguous. If there
> is a " ? " in the dir field then neither of these
> TCP control messages were seen, and the arrows indicate
> the direction of traffic. When the direction is known,
> the ra* programs can report additional states using
> the "dir" indicator, as an example, if the connection
> is reset, the "dir" field will indicate the direction
> of the RST message.
>
> So, if there is a " - " in the dir field, and
> both parties are doing the right thing, then there
> is no question that the source field contains the
> address of the initiator of the TCP, and the destination
> field contains the address of the TCP target. For
> client/server architectures, the source is the client,
> and the destination is the server.
>
> Hope this helps,
>
> Carter
>
>
>
>> -----Original Message-----
>> From: owner-argus-info at lists.andrew.cmu.edu
>> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of
>> Bill McCarty
>> Sent: Tuesday, April 15, 2003 4:17 AM
>> To: argus-info at lists.andrew.cmu.edu
>> Subject: Identifying server and client
>>
>>
>> Hi all,
>>
>> I've read the ra man page several times, particularly the section
>> describing the dir column. But, I can't figure out whether --
>> and how --
>> it's possible to distinguish the TCP client from the TCP server.
>>
>> Can anyone enlighten me? Thanks!
>>
>> ---------------------------------------------------
>> Bill McCarty, Ph.D.
>> Associate Professor of Web & Information Technology
>> School of Business and Management
>> Azusa Pacific University
>>
>
>
>
---------------------------------------------------
Bill McCarty, Ph.D.
Associate Professor of Web & Information Technology
School of Business and Management
Azusa Pacific University
More information about the argus
mailing list