TCP flags

[Russell Fulton]

You can blame me for the tcp flags, I added them to 1.8.X...

I used the z flag because it was just about the only letter left.

I have now forgotten exactly what -z does.  Hmmm... it comes back
slowly  Argus 1.x recorded TCP states that the connection went through
and this is what -z displays.  With version 2.0 Carter added the ability
to record all the flags that have been seen in each direction and this
is what you get with uppercase Z.

Now I've not been paying too much attention to the

Russell.

CS Lee wrote:
> Carter,
>
> I'm comparing the result of -z and -Z b when reading argus flow.
>
> ra -Z b -r test.argus -nn - synack
> 17:48:45.553602               6       1.2.3.4.1553      ->     
> 2.3.4.5.80            1        1
>           60           60  FA_A

This flow consists of *one* packet in each direction one with a FIN and
one in the other direction with a FIN+ACK.
>
> ra -z -r test.argus -nn - synack
> 17:48:45.553602               6       1.2.3.4.1553      ->     
> 2.3.4.5.80            1        1
>           60           60  sSEf

Hmmm.... I don't see how this can be right ( or, more likely, I may have
forgotten the exact semantics of the tcpstate stuff in argus).  As the
flow data show there is only the one packet in each direction (i.e. what
we have here is the fail end of a flow not the complete article) so I
don't see how it should be recording the syn and syn+ack.

It was because of issues like this that I asked Carter to implement a
new attribute that just recorded the actual flags seen. 
>
> Is it shown correctly as there should be SA from dst IP, I'm confused
> with these two results or the -Z b seems to show flags when it last
> seen in the flow.