racluster for connections initiated by host X

Carter Bullard carter at qosient.com
Fri Aug 15 13:13:54 EDT 2008 

Hey David,
The best way to approach a filter that doesn't seem to work is to use  
ra()
to see what the nature of the 'primitive' data is.  Are there any  
records
where the "host X and port 80" is true?  From the output of that
filter, are there any records where X is the "src host"?  Piping the  
output,
or using temp files, is a good strategy to building a working filter,

The 'src' and 'dst' semantics for TCP are kinda complicated.  Argus
assigns 'src' to the IP address that initiates the TCP connection, so if
your host "X" is a web client, the best filter for you is "src host X  
and
dst port 80".  Web services are a strict client initiated service, so  
the
servers will be the "dst".

The dst port is reliable if argus() see's the connection establishment
phase of the TCP, so the better filter is:
    "dst port 80 and \(syn or synack\)"

I would test this filter as a likely candidate:
    "host X and \( dst port 80 and \(syn or synack\)\)"

That way you will see the flows where X is either the client or
the web server.  If X is the client, X will be the 'src', if X is the  
sever,
it will be the 'dst'.

When you do this, and then you want to aggregate the data using
racluster(), be sure and leave the 'proto' and the 'dport' as a part of
the clustering key:
   -m saddr daddr proto dport

That way if you want to further process the data, you don't lose some
of the key service/direction information.

Carter

On Aug 15, 2008, at 12:35 PM, David wrote:

> Another quick question, this time regarding racluster.  I am running  
> it like so:
>
> $ racluster -m saddr daddr -w - - "port 80" | rasort -m bytes
>
> This seems to work fine to give me a sorted list of the biggest  
> flows (where one end is port 80).  Please let me know if there is  
> anything very wrong with this assumption.
>
> However, what I really want is a list of all destinations and the  
> byte counts from host X to any host on port 80.  So I have tried  
> various combinations of:
>
> $ racluster -m saddr daddr -w - - "src host X and dst port 80" |  
> rasort -m bytes
>
> But I cannot seem to get any data out of this.  I am sure I am  
> missing something fairly trivial, but I cannot figure out what it is.
>
> David
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
>
>

More information about the argus mailing list