flow model and argus irc channel

CS Lee geek00l at gmail.com
Wed Apr 22 04:33:38 EDT 2009 

hi oguz,

i did this

argus -mAJZRU 128 -r 55b43299cd167ee1c78e34b2097d52dc.pcap -w http.arg3

ra -Z b -L0 -nr http.arg3 -s -state +spkts +dpkts +state:16
         StartTime    Flgs  Proto            SrcAddr  Sport   Dir
DstAddr  Dport  TotPkts   TotBytes  SrcPkts  DstPkts            State
   12:07:51.490471  e         tcp        192.168.1.4.47138     ->
192.168.1.7.80           26      15898       14       12        FSPA_FSPA
   12:07:51.824398  e         tcp        192.168.1.4.43050     ->
192.168.1.7.80           26      15898       14       12        FSPA_FSPA
   12:07:52.117994  e         tcp        192.168.1.4.57985     ->
192.168.1.7.80           26      15898       14       12        FSPA_FSPA
   12:07:52.621669  e         tcp        192.168.1.4.36068     ->
192.168.1.7.80           26      15898       14       12        FSPA_FSPA
   12:07:52.913396  e         tcp        192.168.1.4.59833     ->
192.168.1.7.80           28      16030       15       13        FSPA_FSPA
   12:07:53.204475  e         tcp        192.168.1.4.49803     ->
192.168.1.7.80           26      15898       14       12        FSPA_FSPA
   12:07:53.497841  e         tcp        192.168.1.4.53244     ->
192.168.1.7.80           26      15898       14       12        FSPA_FSPA
   12:07:53.835414  e d       tcp        192.168.1.4.46289     ->
192.168.1.7.80           26      15898       14       12        FSPA_FSPA
   12:07:54.127736  e d       tcp        192.168.1.4.46891     ->
192.168.1.7.80           26      15898       14       12        FSPA_FSPA

By default argus updates its flow in every 60 seconds so you have current
view of your flow

ARGUS_FLOW_STATUS_INTERVAL=60

But in the case you have, you have every single network session completed in
less than 60second, that's why each flow in there represent every single
completed network session, and also why you have same result when you merge
the flow with racluster.

And you can see I'm using -Z b option in ra so that you can see both side
tcp flag changes, so we can see FSPA_FSPA which means you do see syn and fin
in the flow, plus if you want to see the tcp flags changes over time you can
use -z option.

ra -z -L0 -nr http-oguz.racluster -s -state +spkts +dpkts +state:16
         StartTime    Flgs  Proto            SrcAddr  Sport   Dir
DstAddr  Dport  TotPkts   TotBytes  SrcPkts  DstPkts            State
   12:07:51.490471  e         tcp        192.168.1.4.47138     ->
192.168.1.7.80           26      15898       14       12            sSEfF
   12:07:51.824398  e         tcp        192.168.1.4.43050     ->
192.168.1.7.80           26      15898       14       12            sSEfF
   12:07:52.117994  e         tcp        192.168.1.4.57985     ->
192.168.1.7.80           26      15898       14       12            sSEfF
   12:07:52.621669  e         tcp        192.168.1.4.36068     ->
192.168.1.7.80           26      15898       14       12            sSEfF
   12:07:52.913396  e         tcp        192.168.1.4.59833     ->
192.168.1.7.80           28      16030       15       13            sSEfF
   12:07:53.204475  e         tcp        192.168.1.4.49803     ->
192.168.1.7.80           26      15898       14       12            sSEfF
   12:07:53.497841  e         tcp        192.168.1.4.53244     ->
192.168.1.7.80           26      15898       14       12            sSEfF
   12:07:53.835414  e d       tcp        192.168.1.4.46289     ->
192.168.1.7.80           26      15898       14       12             sSEf
   12:07:54.127736  e d       tcp        192.168.1.4.46891     ->
192.168.1.7.80           26      15898       14       12             sSEf

So you will see sSEfF in the state field, and that's indicate tcp connection
established and finished exactly.

I show with src pkts and dst pkts so you know exactly there are packet
exchanges within two hosts, and src addr is exactly the side which initiates
the traffic which is exactly what biflow model able to keep track of.

If you want to know more about the state, check the ra man page. Hopefully
this is clear for you!

Cheers !!!!



On Wed, Apr 22, 2009 at 2:52 PM, Oguz Yarimtepe <comp.ogz at gmail.com> wrote:

> On Wed, 2009-04-22 at 00:11 +0800, CS Lee wrote:
> >
> > I would like to see a argus file if you can send me.
>
> Here[1] is a sample http pcap file, i used to check the result again.
> When i checked the packets inside the file i can see the usual http
> connection messages from both client to server and server to client.
>
> I changed the pcap file to arg3 file via
>
> argus -mAJZR -r 55b43299cd167ee1c78e34b2097d52dc.pcap -w http.arg3
>
> Then i used racluster to see the unified flows:
>
> racluster -L0 -nr http.arg3 - tcp and port 80 -s proto saddr sport dir
> daddr dport stime ltime dur sbytes sappbytes dappbytes dbytes spkts
> dpkts sloss dloss > http.txt
>
> When i checked the http.txt file, i saw only unidirectional flows.
>
> I checked the arg3 file also with ra -nr, again there was not any
> bidirectional flow.
>
> Maybe you can explain the reason of that and i can understand more
> clearly the meaning of directionality.
>
> [1]
>
> http://www.pcapr.net/view/bwilkerson/2008/10/3/14/55b43299cd167ee1c78e34b2097d52dc.pcap.html
>
>


-- 
Best Regards,

CS Lee<geek00L[at]gmail.com>

http://geek00l.blogspot.com
http://defcraft.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090422/9b765897/attachment.html>

More information about the argus mailing list