Definition of filter fin and finack

Carter Bullard carter at qosient.com
Wed Aug 27 14:46:49 EDT 2008


Hey Nick,
Fin means that we saw a TCP packet with only the fin bit set.  It  
doesn't excude
that other states were seen, it just means that we did see a proper  
FIN packet.

Finack means that we saw a TCP packet with only the fin and the ack  
bit set,
so we know that there appears to be a proper response to a FIN packet.

If you put "src" or "dst" in front of a TCP flag keyword, you aren't  
asking about
TCP states, you're just asking for the occurrence of the bit being set  
in any packet
observed by the flow record.  For example this filter:

    "src \( fin and ack\)"

is not the same as

    "finack"

In the first filter, the fin and the ack bits are not related, in  
that, they could
have occurred in different packets.   The "finack" filter requires  
that a packet
with the fin and ack were seen or'd in the same packet.  This is much  
different
that what you see with Netflow, or any other flow data.

Carter

On Aug 27, 2008, at 12:45 PM, Nick Diel wrote:

> A quick question as I work on a paper.  For the filters "fin" and  
> "finack", do each one represent one half of the 3-way tear down.   
> For example, does "fin" mean that argus saw the first fin and saw  
> the ACK for this fin?  And on the other side, does "finack" mean  
> that argus saw the second fin and saw the ACK for this fin?  Or does  
> a complete teardown in terms of fin and finack filters look like  
> this: (src fin and dst finack) and (dst fin and src finack)?
>
> I want to make sure I get my defitions right for a paper.
>
> Thanks,
> Nick




More information about the argus mailing list