argus direction field

Carter Bullard carter at qosient.com
Mon Mar 16 12:17:06 EDT 2009 

Hey CS Lee,
The direction indicator is very simple.  For all protocols, except TCP,
it is describing the instantaneous direction of packets on the wire,
so it reflects the src and dst packet counts.

For TCP, it is the direction from initiator to target, when that is  
known,
and the center letter attempts to convey some state regarding the
TCP flow.

When there is no indication of the initiator in the argus TCP record,
there is a "?" in the direction field, and the indicator reverts to
describing the direction of packets on the wire, as we see in
all the other protocols.

(so specifically related to your question, when there is a "?", it
  does not mean that the programs are guessing, it means that
  they do not know.  Now, raservices() will guess, and we'll need
  an indication of that in the label that it generates )

For ARP and RARP, the direction becomes, "who" and/or "has"
depending on whether argus saw the request and/or response
to th ARP volley.

Is this behavior adequate?  Would anyone like it to be/do anything
else?

Carter


On Mar 16, 2009, at 9:05 AM, CS Lee wrote:

> hi carter,
>
> Regarding the direction field in argus flow record, I read the man  
> page about this -
>
>                -  - transaction was NORMAL
>                |  - transaction was RESET
>                o  - transaction TIMED OUT.
>                ?  - direction of transaction is unknown.
>
> Okay, sometime we see the record in this
>
> saddr <- daddr
> saddr -> daddr
> saddr <-> daddr
>
> As argus reports current state of flow, does it mean
>
> saddr <- daddr = destination address is sending data to source address
> saddr -> daddr = source address is sending data to destination address
> saddr <-> daddr = both end points has data exchanges for the moment
>
> And for this -
>
> saddr ?> daddr
> saddr <? daddr
> saddr <?> daddr
>
> Does this means
>
> saddr ?> daddr - guess the source address maybe the traffic originator
> saddr <? daddr - guess the destination address maybe the traffic  
> originator
> saddr <?> daddr - not too sure either address is traffic originator
>
> I know you have explained a little bit about it but I just need to  
> make sure I interpret this correctly though I can actually know the  
> current state of connection by looking at state field.
>
> Thanks.
>
>
> -- 
> Best Regards,
>
> CS Lee<geek00L[at]gmail.com>
>
> http://geek00l.blogspot.com
> http://defcraft.net

Carter Bullard
CEO/President
QoSient, LLC
150 E 57th Street Suite 12D
New York, New York  10022

+1 212 588-9133 Phone
+1 212 588-9134 Fax



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090316/8e5d3930/attachment.html>

More information about the argus mailing list