Direction of src and dest

Fri Jun 1 00:30:49 EDT 2007

Hi Carter,   

I've recreated the scenario.  I'm sending you what might be useful.  Note that 
I FTP'd the file from 10.22.97.107 to 10.52.32.215

root at cpocts:/tmp# racount -r outfile - src host 10.52.32.215 and dst host 
10.22.97.107
racount   records     total_pkts     src_pkts       dst_pkts       
total_bytes        src_bytes          dst_bytes
    sum   3           174            66             108            
157624             4050               153574
root at cpocts:/tmp# racount -r outfile - dst host 10.52.32.215 and src host 
10.22.97.107
racount   records     total_pkts     src_pkts       dst_pkts       
total_bytes        src_bytes          dst_bytes
    sum   5           36             21             15             
2735               1360               1375

root at cpocts:/tmp# ra -r outfile - src host 10.52.32.215 and dst host 
10.22.97.107 -L0
         StartTime    Flgs   Proto      SrcAddr        Sport   Dir      
DstAddr        Dport  SrcPkts  DstPkts     SrcBytes     DstBytes State
   14:09:40.619797  e          tcp        10.52.32.215.ftp-da    ->        
10.22.97.107.igi-lm        4        3          328          182   FIN
   14:09:58.597238  e d        tcp        10.52.32.215.ftp-da    ->        
10.22.97.107.dbsa-l       62      105         3722       153392   FIN

root at cpocts:/tmp# ra -r outfile - dst host 10.52.32.215 and src host 
10.22.97.107 -L0
         StartTime    Flgs   Proto      SrcAddr        Sport   Dir      
DstAddr        Dport  SrcPkts  DstPkts     SrcBytes     DstBytes State
   14:09:32.744445  e          tcp        10.22.97.107.prm-nm    ->        
10.52.32.215.ftp           5        3          309          309   CON
   14:09:38.522150  e          tcp        10.22.97.107.prm-nm    ->        
10.52.32.215.ftp           6        4          389          355   CON
   14:09:46.283533  e          tcp        10.22.97.107.prm-nm    ->        
10.52.32.215.ftp           2        1          142           84   CON
   14:09:58.580004  e          tcp        10.22.97.107.prm-nm    ->        
10.52.32.215.ftp           8        7          520          627   FIN
root at cpocts:/tmp#

Here's another view of the conversation:

root at cpocts:/tmp# ra -r outfile - host 10.52.32.215 and host 10.22.97.107 -L0
         StartTime    Flgs   Proto      SrcAddr        Sport   Dir      
DstAddr        Dport  SrcPkts  DstPkts     SrcBytes     DstBytes State
   14:09:32.744445  e          tcp        10.22.97.107.prm-nm    ->        
10.52.32.215.ftp           5        3          309          309   CON
   14:09:38.522150  e          tcp        10.22.97.107.prm-nm    ->        
10.52.32.215.ftp           6        4          389          355   CON
   14:09:40.619797  e          tcp        10.52.32.215.ftp-da    ->        
10.22.97.107.igi-lm        4        3          328          182   FIN
   14:09:46.283533  e          tcp        10.22.97.107.prm-nm    ->        
10.52.32.215.ftp           2        1          142           84   CON
   14:09:58.580004  e          tcp        10.22.97.107.prm-nm    ->        
10.52.32.215.ftp           8        7          520          627   FIN
   14:09:58.597238  e d        tcp        10.52.32.215.ftp-da    ->        
10.22.97.107.dbsa-l       62      105         3722       153392   FIN
root at cpocts:/tmp#

Many thanks