ragator questions
Russell Fulton
r.fulton at auckland.ac.nz
Tue Jun 10 22:35:21 EDT 2003
I too am exploring ragator to do some reporting. I want to aggregate
traffic by port for both tcp and udp:
#label id SrcCIDRAddr DstCIDRAddr Proto SrcPort DstPort ModelList Duration
Flow 100 * * tcp * * 210 100000
Flow 101 * * udp * * 210 100000
# TCP and UDP Flow Model Definitions
# label id SrcAddrMask DstAddrMask Proto SrcPort DstPort
Model 210 0.0.0.0 0.0.0.0 yes no yes
This works up to a point but I get multiple lines for some ports:
09 Jun 03 23:59:03 tcp 0.0.0.0.* -> 0.0.0.0.139 5369014 5804876 1862159581 4294730450 RST
10 Jun 03 00:00:26 tcp 0.0.0.0.* -> 0.0.0.0.80 3096583 4066172 1206524197 4294502846 RST
10 Jun 03 12:30:56 tcp 0.0.0.0.* -> 0.0.0.0.139 4567659 5105243 1717844692 4292788911 RST
10 Jun 03 14:51:26 tcp 0.0.0.0.* -> 0.0.0.0.139 3991806 4801433 750558675 4275893922 RST
10 Jun 03 16:21:49 tcp 0.0.0.0.* -> 0.0.0.0.139 3022618 3923831 734860325 4268835146 RST
10 Jun 03 17:08:37 tcp 0.0.0.0.* -> 0.0.0.0.139 2690251 3752698 492063501 4270547227 RST
10 Jun 03 13:12:06 tcp 0.0.0.0.* -> 0.0.0.0.80 3676245 4635555 1414504177 4294358018 RST
One possibly relevant point, there were multiple input files covering on
days traffic.
I am also seeing records like this:
10 Jun 03 14:24:24 tcp 0.0.0.0.65535 -> 0.0.0.0.43091 26 44 1412 60227 RST
10 Jun 03 19:20:50 tcp 0.0.0.0.65535 ?> 0.0.0.0.2865 1 1 54 54 FIN
with 65535 in the source port. I assume -1 has some special meaning but
I could not find any reference to it anywhere.
--
Russell Fulton, Network Security Officer, The University of Auckland,
New Zealand.
More information about the argus
mailing list