src_bytes and dst_bytes files

[carter at qosient.com]

Hey Kjell Tore Fossbak,
Ra prints out a '?' in the direction field for TCP flows when argus has no history of seeing the TCP connection establishment SYN/SYN_ACK packets.
When these packets have not been seen, argus assigns the src as the first to transmit.

For TCP, argus wants to assign to the src, the initiator of the flow, because this information is meaninful.   In most cases the TCP initiator (the address that first sends a SYN packet) is the service client, the target address (the address that sens the SYNACK) is the server.  The target port should be the service port.  So, for http flows as an example, when the SYN or SYNACK packets are seen and the flow is not spoofed in any way, the argus flow record will have port 80 as the dst, and the dst address will be the http server. 

Yes, regardless of the direction, the src metrics are associated with the source objects, and the same is true for the dst elements.

If argus times out a long lived TCP connection, because it was idle, it will "forget" that it saw the SYN/SYNACK volley, and when the next packet comes by, the src and dst assignments may get reversed.  The '?' can be used to help to remind you that this condition may exist.  Racluster() will match, correct and merge these types of record correctly, by default.

With argus including this info in all the TCP records, you can use the filter "syn and synack" to assure that the records you are processing are healthy flows, and that the src and dst objects represent the server and client relationships.  Now with these relationships known, you can analyze for whether the service is a producer or consumer (did the initiator push data or did it get data?) etc ......

Now, there is a lot of TCP traffic out there that is used for scanning, so seeing a few packets with a '?' in the dir field may represent discovery packets.  Also Windows has a habit of sending very late closing packets, like resets and fins, hours after the TCP has been closed.  So the '?' is not an uncommon indicator, and seeing it is very useful!!

Is that helpful?

Carter



Carter Bullard
QoSient LLC
150 E. 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax

-----Original Message-----
From: "Kjell Tore Fossbakk" <kjelltore at gmail.com>

Date: Wed, 20 Jun 2007 11:09:02 
To:argus-info at lists.andrew.cmu.edu
Subject: [ARGUS] src_bytes and dst_bytes files


Hello!<br><br>I have a question.<br><br>When Argus is unsertain about the direction of the flow (?>), what is the relation ship between src_ip,src_port and src_count,src_bytes. To the best of my knowledge and logic, all the 'src' fields belongs to each other and all the 'dst' fields belongs to each other, is that true? Or could it be that the src_count,src_bytes actually belongs to dst_ip,dst_port when argus is unseratin about the direction (?>)?
<br><br>I have some traffic which gives ?> dir, and the dst_bytes and dst_count is 0 while src_count and src_bytes is just a few. Why is argus unsertain about the direction when there has only been sent traffic one way? 
<br><br>Sincerely,<br>Kjell Tore Fossbakk<br>