ragraph and ftp flows

Carter Bullard carter at qosient.com
Tue Oct 30 10:09:39 EDT 2007 

Hey Wimmie,
Hmmmmm, not enough information.  Are you graphing based on the
destination port (dport), and you would like flows with source port 20
to be treated as if their dport is "ftp-data"?

If this is correct, the current clients do not provide you the abiity  
to do
this easily.  You could do it with racluster() and ranonymize(), but  
that
is not very elegant (racluster() to merge records with "src port ftp- 
data"
and ranonymize() to convert the resulting zero dst port to port 20).

It is easy to get ragraph to do the right thing, by modifying the  
perl script
and adding a bit of processing.   An easy way to do this would be to
invent a special field, something like "svc", so that ragraph()  
understands
what it is that you want to graph.  You replace the singleton "svc"  
on the
command line with "sport dport", and put a few lines of code to assign
the field with either the dport string or the sport string, depending  
on some
logic.   You would have to make changes to  
RagraphGenerateRRDParameters()
and RagraphGenerateRRD(), but it would be pretty easy to do.

I think the right approach is to create a new field so that ra* clients
will do this for you.  It would seem that you are really wanting
to graph a "Service" rather than a flow key attribute.    We could
have a new field, "svc", and generate some rules that allow us to
printout various service labels.  Or we could improve on the program
ralabel(), and have programs like ragraph print out a "label:svc" field,
since we could have other labels in the record.

I can do this after the argus-3.0 release, or if you do it, I can  
check it
out and possible get it in before we go official.

Carter


On Oct 30, 2007, at 5:48 AM, Wimmie wrote:

> I find that FTP flows are not properly graphed with ragraph. It  
> graphs the data on the ports which are assigned during the FTP port  
> negotiation, but doesn't show these ports as ftp-data. Now without  
> dumping the data it's hard to tell this is actual FTP data. Is  
> there some way to correct this issue?
>

More information about the argus mailing list