ra output: 0 packet counts and portless UDP transactions

Carter Bullard carter at qosient.com
Tue Dec 16 11:43:37 EST 2003 

Hey Chris,
   The metric printout is  srcpkts, dstpkts, srcbytes, dstbytes.
In your first example you have two dstpkts going from the http server
back to your client, that conain 140 dstbytes.  While the direction
indicates that the first address is the requestor, for this status
record you have the server sending back data, probably 2 FIN packets.

   This could be a probe of your address where the prober
is sending illegal TCP packets, like a FIN packet when the
connection doesn't exist, or this could be late closing packets
where you have prior activity and the server is sending these
last packets after argus generated a record for activity on the
flow.

   In your UDP example, you don't have any port numbers because,
the packet is using the values 0xFFFF.  These are illegal port
values and so more than likely someone is tickling your machine
with invalid UDP packets.  The later argus clients should print
out the values, rather than keeping them blank.

Carter



-----Original Message-----
From: owner-argus-info at lists.andrew.cmu.edu
[mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of Chris Cutler
Sent: Tuesday, December 16, 2003 11:03 AM
To: Argus Development
Subject: ra output: 0 packet counts and portless UDP transactions


Hello,

My apologies if the following questions are hopelessly newbie-ish, in the
wrong forum or frequently asked here (the archive at
http://www.qosient.com/argus/theorygroup.htm) is down:

* I'm using ra -c -n to look at some argus data and I've run into several
  lines where the source and destinaciton packet counts are 0.  How shall
  I interpret this (it makes no sense to me).  For example:

  19 Nov 03 12:03:33    tcp  X.X.X.X.27308  ->     X.X.X.X.80    0        2
0            140         FIN

* Also, I've come across some very strange udp transactions in which the
  source and destination host addresses lack ports.  This is deeply
  puzzling.  For example:

  24 Nov 03 15:25:18    udp  X.X.X.X        ->     X.X.X.X       1        0
54           0           TIM

I'm using argus version 2.0.5.  Thanks in advance for your help.

Chris

More information about the argus mailing list