Issue with determination of source vs. dest.
Nick Diel
nick at engineerity.com
Fri Jun 13 12:13:24 EDT 2008
This might be related to my localized filtering bug, but I wanted to put it
a separate tread in case it wasn't.
In the output from RA, it is switching the client/source and the server/dst
for TCP connections where Argus did see at least one syn. The tcp state ra
reports also indicates the client and server are switched. This is
happening for some unidirectional flows where the end of the flow wasn't
captured and also a few bidirectional flows where the initial syn was not
captured but the synack was. Since RA dir column isn't a ?> I am assuming
it is using syn and synack states to determine client/server.
Sport Dir Dport State
80 -> 3293 S
80 -> 4437 S
80 -> 4438 S
80 -> 2155 S
80 -> 53523 SE
80 -> 25639 S
80 -> 43676 SE
80 -> 59239 S
80 -> 1222 S
80 -> 1267 SE
Sport Dir Dport State
80 -> 3293 SA_
80 -> 4437 SA_
80 -> 4438 SA_
80 -> 2155 SA_
80 -> 53523 SA_PA
80 -> 25639 SA_
80 -> 43676 SA_PA
80 -> 59239 SA_
80 -> 1222 SA_
80 -> 1267 SPA_PA
Nick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20080613/b0682e92/attachment.html>
More information about the argus
mailing list