Developing an Argus client

Carter Bullard carter at qosient.com
Fri Jun 5 10:36:51 EDT 2009 

Hey Harry,
I don't think I answered your earlier questions?
Question #1.  Yes, they represent different metrics for the different  
phases of a TCP connection,
and can be controlled using the argus.conf variables.  ARGUS_TCP_PERF  
DSR's, are very big,
so we don't want to transport them if we don't have any PERF data to  
report.  The
ARGUS_TCP_STATUS, struct is the smallest and contains only the flags  
fields.  You will
see these more likely when the clients are converting Netflow records  
to Argus records.

The ARGUS_TCP_INIT struct will be seen when you see failed TCP  
connections.  I.e.,
SYN -> RST volleys, TCP RST scans, etc..... or when argus() is  
configured to not generate
the ARGUS_TCP_PERF dsrs.

  If you have configured argus() to generate ARGUS_TCP_PERF dsrs,  you  
can get either
ARGUS_TCP_INIT or ARGUS_TCP_PERF dsrs for the same flow, depending on  
many
conditions.


Question #2. I took out ARGUS_NORMAL_CLOSE a while back, because most  
Windows
machines weren't closing normally (using fast close strategies), and  
so it was confusing
to use the metric.  Tcp normal close was just this filter:

    "tcp and fin and finack"

So you can add that kind of logic to your system, if you like, but  
just because a system
sends a RST, doesn't mean it wasn't a healthy, normal TCP connection,  
so thats why that
is not there.

Carter

On Jun 3, 2009, at 10:31 PM, Harry Bock wrote:

> Hi all,
>
> I've published my current work to our public cgit repository.
> The current periscope source code can be found at http://projects.oshean.org/index.cgi/periscope-argus/ 
> .  I hope eventually that this work will be of some use to the  
> community! :)
>
> On Fri, May 29, 2009 at 3:58 PM, Harry Bock <harry at oshean.org> wrote:
> Hey Carter,
>
> Two quick questions:
> - What is the difference between records with net subtypes  
> ARGUS_TCP_PERF, ARGUS_TCP_INIT, and ARGUS_TCP_STATUS? Is it possible  
> to receive all three for the same flow, in three different  
> RaProcessRecord calls?
>
> - I'm currently testing things using PCAP captures processed by the  
> argus server program, but none of the TCP flows I've seen have the  
> ARGUS_NORMAL_CLOSE flag set - should I assume it's a normal close if  
> none of the ARGUS_RESET etc. flags are set?
>
> Thanks,
> Harry
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090605/ffdbc1d9/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090605/ffdbc1d9/attachment.bin>

More information about the argus mailing list