flow in general
Nick Diel
nick at engineerity.com
Tue Apr 21 11:45:38 EDT 2009
Basically when Argus sees packets going in both directions (from host A to
host B AND from host B to host A) this is a bidirectional flow. When Argus
only sees packets going in one direction this is a unidirectional flow.
A simple example is when host A sends host B a tcp syn packet and host B
does not respond (such as the case for a simple port scan). Argus will
count this as a flow and since packets only went from host A to host b it is
unidirectional. Note if host B responded then this would be a bidirectional
flow.
Another reason for unidirectional flows is for some reason Argus did not see
the other packets, such as the case may be with placement of an Argus
collector.
Note, especially with TCP, source and destination have nothing to with
unidirectional vs. bidirectional. With TCP, source and destination are
determined when possible with tcp states.
Nick
PS To see this in action have ra tell you how many packets the src and dst
sent. Add the following to your ra command: -L0 -s +spkts +dpkts
On Tue, Apr 21, 2009 at 7:53 AM, Oguz Yarimtepe <comp.ogz at gmail.com> wrote:
> I was analyzing an http flow that is converted from a tcpdump file. I
> was using racluster. I saw the flows generally uni-directional. Some are
> bi-directional. I checked the meaning of directionality again from here,
> but i didn't get the point indeed.
>
> For ex when i see a bi-directional flow does that mean that every
> package is from source to destination? Why is some http flows uni and
> some bi directional?
>
> I will be happy if someone give more detail about directionality.
>
> And is there any #argus channel on irc, so that we can join and ask some
> questions there also?
>
> Oğuz
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090421/98b392e8/attachment.html>
More information about the argus
mailing list