Filter Flows with fins/resets
Nick Diel
ndiel at engr.colostate.edu
Fri Feb 29 20:56:59 EST 2008
I am interested in finding flows that contain fin-finacks or resets and
where data packets continue in the flow after the fin-finacks or reset
(usually the data packets continue only in one direction). I know I can
filter for flows that contain fin-finacks or resets, but finding flows
with the previous criteria is stumping me. I am guessing this
information is not easily available just from the argus flow records, so
just a filter will probably not work. I am looking at using racluster
to help me. Here is my current thought process:
1. Merge status flow records only up to the point of a fin-finak or
reset (not sure if this is possible)
2. Take all flows that just contain data packets and most likely
resets, but no syns or fins, and merge them with the above flows.
3. Any flows that did merge successfully will be the flows I am
interested in.
Any ideas or thoughts would be appreciated.
Nick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20080229/8b1b40e8/attachment.html>
More information about the argus
mailing list