[ARGUS] RE:

Carter Bullard carter at qosient.com
Thu May 13 16:03:49 EDT 2004 

Hey Glen,
No, even argus will generate only one record for the
complete bi-directional conversation, assuming that
it's a pretty normal http request.

    192.168.0.100.35067 -> www.goole.com.80

if you're getting (192.168.55, 80), are you sure
that this host isn't acting as a web server for someone?

if you think that ramon is giving you erroneous data,
try to find out if the original argus data doesn't
explain the output.

use ra to find a record that has this address,port pair
as a part of the data:

   ra -r file - \(src host 192.168.0.100 and src port 80\) or
                \(dst host 192.168.0.100 and dst port 80\)

that should find something if ramon is reporting the address
and that port as a pair.

Carter



-----Original Message-----
From: owner-argus-info at lists.andrew.cmu.edu
[mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of Glenn MacGregor
Sent: Thursday, May 13, 2004 6:49 PM
To: argus-info at lists.andrew.cmu.edu
Subject:

Hi All,

I am using ramon -M hostsvc to figure out what services are running on my
network. I thought this would be what I wanted but it seems the info I get
is
actually the client ip and destination port. So I see 192.168.0.55 80, this
tells me that 192.168.0.55 is going to port 80 somewhere. Is there an ramon
(or
someother ra*) command that will tell me the destination address and
destination
port. I want this so I can see all the services in my network, and what
servers
provide those services.

Also ragator, I have read the amn page but am still unclear on the purpose.
How
does it merge records? If I hit a website:

SrcIP            DstIP            SPort   DPort
192.168.0.100    www.google.com   35067   80

and it responds:

SrcIP            DstIP           SPort   DPort
www.google.com   192.168.0.100   80(?)   35067

With ra I will see 2 records, correct? Will ragator merge these two records
into
one?

   Thanks

     Glenn

Glenn MacGregor
HighStreet Networks

-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/

More information about the argus mailing list