Peter Van Epp
vanepp at sfu.ca
Mon Jan 2 19:21:16 EST 2006
On Mon, Jan 02, 2006 at 05:27:48PM -0600, Tim Lavoie wrote:
> Hi all,
> I've just started looking at Argus in earnest, so I'm new, but
> generally familiar with other networking tools.
> Most of the traffic that I've looked at so far seems pretty normal, at
> least in that I understand what it is, and the reporting of it from
> tools like "ra". Some of it appears to highlight some gaps in what I know.
> The ones which are strangest are those like the following. I'm fine
> with tcp, udp, arp etc., but haven't found what the "man" protocol
> means. Naturally, googling gives me countless links to man pages. In
> any case, the format of these is slightly different from the rest, and
> all apparently from a single IP (6000+ records, from December 12 to
> 12-12-05 15:26:52.669222 man 184.108.40.206 v2.0 1 0 0 0 0 0 STA
> 12-12-05 15:26:52.670329 man 220.127.116.11 v2.0 16 7 233 0 49530 4 CON
> 12-12-05 15:31:52.183189 man 18.104.22.168 v2.0 36 6 65 0 4419 5 CON
> 12-12-05 15:36:52.035605 man 22.214.171.124 v2.0 53 5 60 0 3772 1 CON
> Any ideas?
Yep, management records about the argus process. Luckily last I had
to figure it out I dumped the fields from the source (I was fixing some
formatting problems at the time) because as far as I know they aren't
documented except in the source:
The first line is fairly obvious (looks like you too don't have an IP
assigned to the interface so the sensor IP is whatever happens to be there).
The next line of numbers starts with the # of flows, then packets received,
packets dropped (by pcap, there are other sources of drop as well), bytes
received, number of flows closed and status (which I think is always con)
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
More information about the argus