directions and TransRefNum
nagendra modadugu
nagendra at cs.stanford.edu
Thu Jun 9 13:10:41 EDT 2005
(Sorry about multiple postings to the newsgroup--my mail
settings were a bit messed up).
I'm looking at the following argus traffic from this morning,
and can't make sense of flags and direction, hope someone
can help:
$ rasort -anzr -r ar-2005-06-09.09 -M saddr - src port 49353 and dst port 22
09 Jun 05 08:03:48 d tcp X.X.X.X.49353 -> Y.Y.Y.Y.ssh 146 108 15170 18233 sSE
09 Jun 05 08:06:02 tcp X.X.X.X.49353 -> Y.Y.Y.Y.ssh 24 14 2104 2876 sSE
09 Jun 05 08:19:19 tcp X.X.X.X.49353 ?> Y.Y.Y.Y.ssh 5 4 410 1872 E
09 Jun 05 08:40:04 tcp X.X.X.X.49353 ?> Y.Y.Y.Y.ssh 5 3 410 1094 E
09 Jun 05 08:41:09 tcp X.X.X.X.49353 ?> Y.Y.Y.Y.ssh 39 25 3294 5290 E
(1) Why do the first two records both have 'sSE' flags set even
though pertain to the same connection? (8:03 is when this
connection was started--there are no previous records for this
connection.)
(2) For what reasons would the direction be ambiguous in remaining
records?
(3) My understanding is that multiple records from one flow are
linked together by 'TransRefNum' values. How long are do argus
keep this state around? Perhaps a new TransRefNum was assigned
to the record in line 3, which would explain it's ambiguous
direction?
More information about the argus
mailing list