Identifying server and client
Carter Bullard
carter at qosient.com
Tue Apr 15 23:04:48 EDT 2003
Hey Bill,
If you've got any suggestions for the man page, don't
hesitate to send them to the list. You don't have to
provide text, comments/criticism/flames/whatever are
fine. It could make them better ;o)
Carter
> -----Original Message-----
> From: Bill McCarty [mailto:bmccarty at apu.edu]
> Sent: Tuesday, April 15, 2003 10:12 PM
> To: Carter Bullard; argus-info at lists.andrew.cmu.edu
> Subject: RE: Identifying server and client
>
>
> Hi Carter,
>
> Thanks for your prompt and helpful response. Argus works just
> as I'd hoped.
> I merely couldn't assure myself of this by reading the man page.
>
> Thanks!
>
> Cheers,
>
> --On Tuesday, April 15, 2003 8:41 AM -0400 Carter Bullard
> <carter at qosient.com> wrote:
>
> > Hey Bill,
> > With TCP, argus takes a great deal of care as
> > to who is the client (initiator) and who is the
> > server (target).
> >
> > It is all based on who initiated the TCP connection.
> > The src -> dst (client -> server) assignment is based
> > on control indicators in the TCP connection itself,
> > ie. who sent the initial TCP request message ("SYN")
> > and who sent the initial response ("SYN ACK") message.
> > The source/destination assignment is made whether argus
> > monitors both or only one of the messages.
> >
> > The source/destination assignments are reported
> > in the specific "src" and "dst" columns. The "dir"
> > indicator provides additional information regarding
> > the connection and is state dependant. If there is
> > a " - " in the direction field, then argus saw either
> > the SYN or the SYNACK message in the TCP and the
> > source/dest assignments are unambiguous. If there
> > is a " ? " in the dir field then neither of these
> > TCP control messages were seen, and the arrows indicate
> > the direction of traffic. When the direction is known,
> > the ra* programs can report additional states using
> > the "dir" indicator, as an example, if the connection
> > is reset, the "dir" field will indicate the direction
> > of the RST message.
> >
> > So, if there is a " - " in the dir field, and
> > both parties are doing the right thing, then there
> > is no question that the source field contains the
> > address of the initiator of the TCP, and the destination
> > field contains the address of the TCP target. For
> > client/server architectures, the source is the client,
> > and the destination is the server.
> >
> > Hope this helps,
> >
> > Carter
> >
> >
> >
> >> -----Original Message-----
> >> From: owner-argus-info at lists.andrew.cmu.edu
> >> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of
> >> Bill McCarty
> >> Sent: Tuesday, April 15, 2003 4:17 AM
> >> To: argus-info at lists.andrew.cmu.edu
> >> Subject: Identifying server and client
> >>
> >>
> >> Hi all,
> >>
> >> I've read the ra man page several times, particularly the section
> >> describing the dir column. But, I can't figure out whether --
> >> and how --
> >> it's possible to distinguish the TCP client from the TCP server.
> >>
> >> Can anyone enlighten me? Thanks!
> >>
> >> ---------------------------------------------------
> >> Bill McCarty, Ph.D.
> >> Associate Professor of Web & Information Technology
> >> School of Business and Management
> >> Azusa Pacific University
> >>
> >
> >
> >
>
>
>
> ---------------------------------------------------
> Bill McCarty, Ph.D.
> Associate Professor of Web & Information Technology
> School of Business and Management
> Azusa Pacific University
>
More information about the argus
mailing list