src_bytes and dst_bytes files
Harry Hoffman
hhoffman at ip-solutions.net
Wed Jun 20 08:44:41 EDT 2007
Are people using racluster to replace the original flow files to combine
"forgotten" tcp connections (and save space). Or do most people use it in
a reporting only fashion?
If you are replacing your original files what is the criteria you are using?
Cheers,
Harry
<snip>
> If argus times out a long lived TCP connection, because it was idle, it
> will "forget" that it saw the SYN/SYNACK volley, and when the next packet
> comes by, the src and dst assignments may get reversed. The '?' can be
> used to help to remind you that this condition may exist. Racluster()
> will match, correct and merge these types of record correctly, by default.
>
> With argus including this info in all the TCP records, you can use the
> filter "syn and synack" to assure that the records you are processing are
> healthy flows, and that the src and dst objects represent the server and
> client relationships. Now with these relationships known, you can analyze
> for whether the service is a producer or consumer (did the initiator push
> data or did it get data?) etc ......
>
> Now, there is a lot of TCP traffic out there that is used for scanning, so
> seeing a few packets with a '?' in the dir field may represent discovery
> packets. Also Windows has a habit of sending very late closing packets,
> like resets and fins, hours after the TCP has been closed. So the '?' is
> not an uncommon indicator, and seeing it is very useful!!
>
</snip>
More information about the argus
mailing list