Question about flow direction classification

Carter Bullard carter at qosient.com
Tue Nov 10 22:33:25 EST 2009 

Hey Matt,
This is a good place to ask whatever questions you have.

The direction indicator is different for the two basic flow types, connection oriented
and connection-less.  For connection oriented flows, it is trying to show you
the initiator of the connection.   This is important, as it helps in understanding the
port numbers and their significance (which port range is the service port in), it also
helps to define the service, whether its a consumer or producer type of service.  

For connection-less flows, the direction indicator will show you simply the direction
of packets.

If argus knows the direction for connection oriented flows,  the direction indicator
will be a single headed arrow from initiator (src) to target (dst).  It knows because
its keeps the state of connection establishment.  If it doesn't know (say for TCP, it
didn't see the SYN or SYN_ACK packets) then it will put a '?' in the center, and the
the arrowheads will represent packet directions.  You can get this information from
the status field, but a simple indicator in the center of the flow record output was
a simple visual clue.

No real documentation on architecture, but I'd be happy to answer any question,
 including implementation and the design philosophy etc... on the mailing list.  That
way we capture the topic and any discussions.  

Any question is fair game.

Carter

On Nov 10, 2009, at 6:31 PM, Matt Brewer wrote:

> Hello,
> 
> I'm currently doing a research project on Network flows and my team is using Argus to perform most of our analysis.  I'm not sure if this is the best place to ask questions like this, if I'm in the wrong place please let me know.
> 
> I've noticed that a number of network flows that I would generally classify as bi-directional are actually classified by Argus with -> which would be uni-directional (I assume this is flow of payload data).  Many SSH flows appear with this direction.  Can you explain this behavior?  Also, I've spent quiet some time reading through the numerous man pages on the different Argus tools, are there any papers that explain the inner workings of Argus?  I'm interested in materials that explain how some of the not so obvious information is derived. 
> 
> ===========================
> | Matt Brewer
> | CCNA
> | www.sheridantutorials.com
> ===========================
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20091110/d16e7ef2/attachment.bin>

More information about the argus mailing list