Issue with determination of source vs. dest.
Carter Bullard
carter at qosient.com
Mon Jun 16 11:42:58 EDT 2008
Hey Nick,
If you can provide an argus data file that has a record in it that
is "incorrect", I can take a look at it.
Carter
On Jun 13, 2008, at 12:13 PM, Nick Diel wrote:
> This might be related to my localized filtering bug, but I wanted to
> put it a separate tread in case it wasn't.
>
> In the output from RA, it is switching the client/source and the
> server/dst for TCP connections where Argus did see at least one
> syn. The tcp state ra reports also indicates the client and server
> are switched. This is happening for some unidirectional flows where
> the end of the flow wasn't captured and also a few bidirectional
> flows where the initial syn was not captured but the synack was.
> Since RA dir column isn't a ?> I am assuming it is using syn and
> synack states to determine client/server.
>
> Sport Dir Dport State
> 80 -> 3293 S
> 80 -> 4437 S
> 80 -> 4438 S
> 80 -> 2155 S
> 80 -> 53523 SE
> 80 -> 25639 S
> 80 -> 43676 SE
> 80 -> 59239 S
> 80 -> 1222 S
> 80 -> 1267 SE
>
> Sport Dir Dport State
> 80 -> 3293 SA_
> 80 -> 4437 SA_
> 80 -> 4438 SA_
> 80 -> 2155 SA_
> 80 -> 53523 SA_PA
> 80 -> 25639 SA_
> 80 -> 43676 SA_PA
> 80 -> 59239 SA_
> 80 -> 1222 SA_
> 80 -> 1267 SPA_PA
>
> Nick
>
More information about the argus
mailing list