Issue with determination of source vs. dest.
Carter Bullard
carter at qosient.com
Fri Jun 13 12:31:29 EDT 2008
Hey Nick,
Yes, the assumption is that the Syn and SynAck packets are indicators
of the initiators of the connection. If we see the Syn, then we
should be
able to say that the source address in the Syn packet is the initiator
of
the TCP connection (assuming that all is well). if we did not see
the Syn,
then we can infer who is the server and who is the client based on the
direction of the SynAck ( we should reverse the flow if we see only
a SynAck). This helps us to know what may be going on in
asymmetrically
routed paths.
Is this breaking something, or is it broken?
Carter
On Jun 13, 2008, at 12:13 PM, Nick Diel wrote:
> This might be related to my localized filtering bug, but I wanted to
> put it a separate tread in case it wasn't.
>
> In the output from RA, it is switching the client/source and the
> server/dst for TCP connections where Argus did see at least one
> syn. The tcp state ra reports also indicates the client and server
> are switched. This is happening for some unidirectional flows where
> the end of the flow wasn't captured and also a few bidirectional
> flows where the initial syn was not captured but the synack was.
> Since RA dir column isn't a ?> I am assuming it is using syn and
> synack states to determine client/server.
>
> Sport Dir Dport State
> 80 -> 3293 S
> 80 -> 4437 S
> 80 -> 4438 S
> 80 -> 2155 S
> 80 -> 53523 SE
> 80 -> 25639 S
> 80 -> 43676 SE
> 80 -> 59239 S
> 80 -> 1222 S
> 80 -> 1267 SE
>
> Sport Dir Dport State
> 80 -> 3293 SA_
> 80 -> 4437 SA_
> 80 -> 4438 SA_
> 80 -> 2155 SA_
> 80 -> 53523 SA_PA
> 80 -> 25639 SA_
> 80 -> 43676 SA_PA
> 80 -> 59239 SA_
> 80 -> 1222 SA_
> 80 -> 1267 SPA_PA
>
> Nick
>
More information about the argus
mailing list