flow model and argus irc channel
Oguz Yarimtepe
comp.ogz at gmail.com
Wed Apr 22 02:52:29 EDT 2009
On Wed, 2009-04-22 at 00:11 +0800, CS Lee wrote:
>
> I would like to see a argus file if you can send me.
Here[1] is a sample http pcap file, i used to check the result again.
When i checked the packets inside the file i can see the usual http
connection messages from both client to server and server to client.
I changed the pcap file to arg3 file via
argus -mAJZR -r 55b43299cd167ee1c78e34b2097d52dc.pcap -w http.arg3
Then i used racluster to see the unified flows:
racluster -L0 -nr http.arg3 - tcp and port 80 -s proto saddr sport dir
daddr dport stime ltime dur sbytes sappbytes dappbytes dbytes spkts
dpkts sloss dloss > http.txt
When i checked the http.txt file, i saw only unidirectional flows.
I checked the arg3 file also with ra -nr, again there was not any
bidirectional flow.
Maybe you can explain the reason of that and i can understand more
clearly the meaning of directionality.
[1]
http://www.pcapr.net/view/bwilkerson/2008/10/3/14/55b43299cd167ee1c78e34b2097d52dc.pcap.html
More information about the argus
mailing list