question re proto field

Carter Bullard carter at qosient.com
Thu May 21 20:54:40 EDT 2009 

Hey Rodney,
The "M" in the 'flgs' field indicates that there were "Multiple" mac  
header addresses
used to support the flow.  If you print the smac and dmac fields, you  
may see
the multiple ethernet addresses used.  We report that there were  
multiple, we
only store one set of working pairs per status interval (the first  
ones seen).

This usually means asymmetric routing/switching.

The "fragment overlap seen" indicator is a big deal.  Suppose to  
indicate that
Fragments overwrote bytes during reassembly, usually used to bypass  
firewalls/snort,
.... maybe a bug if you don't suspect a problem.  Quite a bit of loss,  
but if the server
is far away, not a big deal.

Carter

On May 21, 2009, at 8:45 PM, Rodney McKee wrote:

> Hello,
>
> Just wondering how to read these sets of info in the proto field, I  
> don't see anything regarding M in the man page, these are all  
> different connections between the same mail servers.
>
> 20:47:05.667747  M s       tcp    aaa.aaa.aaa.aaa.44821     ->        
> bb.bb.bb.bbb.25          140     114509 sSEfR
> 21:02:20.528479  M         tcp    aaa.aaa.aaa.aaa.59185     ->        
> bb.bb.bb.bbb.25           47      32185 sSEfR
> 21:47:04.173484  M    V    tcp    aaa.aaa.aaa.aaa.45523     ->        
> bb.bb.bb.bbb.25           32      15688 sSEfR
> 22:12:03.167259  e s       tcp    aaa.aaa.aaa.aaa.51619     ->        
> bb.bb.bb.bbb.25           88      64563 sSEfF
> 22:12:03.167338  e         tcp    aaa.aaa.aaa.aaa.51621     ->        
> bb.bb.bb.bbb.25           78      62288 sSEfR
> 00:13:20.505744  M *       tcp    aaa.aaa.aaa.aaa.42067     ->        
> bb.bb.bb.bbb.25           92      69954 sSEfR
> 00:17:01.273999  e *       tcp    aaa.aaa.aaa.aaa.43610     ->        
> bb.bb.bb.bbb.25           42      21250 sSEfF
>
> Regards
> Rodney

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090521/9bc15773/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090521/9bc15773/attachment.bin>

More information about the argus mailing list