TCP flags

CS Lee geek00l at gmail.com
Mon Nov 27 11:23:20 EST 2006 

Russell,

Thanks, I'm looking at the output and thinking the right one should be -Z as
there are only 2 packets in the flow. But how about primitives specific
supported TCP flows, I'm trying to use it to filter all the necessary flow
that I need and using synack returns fin+ack and fin flow don't seem to be
right.

I think tcp flags state is very important when comes to debugging certain
traffics thus it should be done correctly especially in upcoming 3.x.

Thanks.

On 11/27/06, Russell Fulton <r.fulton at auckland.ac.nz> wrote:
>
> You can blame me for the tcp flags, I added them to 1.8.X...
>
> I used the z flag because it was just about the only letter left.
>
> I have now forgotten exactly what -z does.  Hmmm... it comes back
> slowly  Argus 1.x recorded TCP states that the connection went through
> and this is what -z displays.  With version 2.0 Carter added the ability
> to record all the flags that have been seen in each direction and this
> is what you get with uppercase Z.
>
> Now I've not been paying too much attention to the
>
> Russell.
>
> CS Lee wrote:
> > Carter,
> >
> > I'm comparing the result of -z and -Z b when reading argus flow.
> >
> > ra -Z b -r test.argus -nn - synack
> > 17:48:45.553602               6       1.2.3.4.1553      ->
> > 2.3.4.5.80            1        1
> >           60           60  FA_A
>
> This flow consists of *one* packet in each direction one with a FIN and
> one in the other direction with a FIN+ACK.
> >
> > ra -z -r test.argus -nn - synack
> > 17:48:45.553602               6       1.2.3.4.1553      ->
> > 2.3.4.5.80            1        1
> >           60           60  sSEf
>
> Hmmm.... I don't see how this can be right ( or, more likely, I may have
> forgotten the exact semantics of the tcpstate stuff in argus).  As the
> flow data show there is only the one packet in each direction (i.e. what
> we have here is the fail end of a flow not the complete article) so I
> don't see how it should be recording the syn and syn+ack.
>
> It was because of issues like this that I asked Carter to implement a
> new attribute that just recorded the actual flags seen.
> >
> > Is it shown correctly as there should be SA from dst IP, I'm confused
> > with these two results or the -Z b seems to show flags when it last
> > seen in the flow.
>



-- 
Best Regards,

CS Lee<geekooL[at]gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20061128/5910c2b5/attachment.html>

More information about the argus mailing list