Question about states

Matt Brewer hilather at gmail.com
Sat Nov 21 22:53:50 EST 2009


Hello,

I have a few questions and ideas I'd like to share.

Some of the flows in my captures are marked EC (This is with the -z option to show mimic tcp states) and I haven't been able to determine what the C stands for, any idea what it means?

Also, I've been working with the states field a lot with the -z option, and its come to my attention that the sSEfFR orientation of the flags doesn't actually give me indication of who sent what packets with what tcp flags.  I'm aware I can remove the -z and use the -Zs or -Zd option and it will give me an output of with tcp flags were set for each direction, but it would be nice to actually have both options displayed.  If I use the -Zb option, it looks like it attempts to print out both states deliminated by an underscore, however the field appears to be truncated to 5 characters and is often cut off. And even if it wasn't cut off, the tcp flags aren't displayed it order of occurrence.

Is there any reason the state field cannot keep the occurrence of flags in order? It would be incredibly useful to display the state of the flow in order. Ideally I would like to see the tcp flags as lower case letters as the source produced flags, and upper case letters as destination produced flags.  A system like this would allow us to easily determine which side of the flow tore down the TCP session, either via a FIN or RST.

Also, I've recently seen the "man" protocol in my captures.  What exactly is this supposed to indicate? Some of the "man" flows are marked with STP or STA in the state field.  I am assuming that "man" refers to switch management protocols? Correct me if I'm wrong.

Also, the "man" protocol flows with the state "STA" have zero destination or source packets. Which is very bizarre, I do not understand how a flow could exist without packets.

Oh also, what is the "offset" field for? The man pages are rather vague "record byte offset in file or stream."

Thanks in advance, argus is a wonderful tool.

===========================
| Matt Brewer
| CCNA
| www.sheridantutorials.com
===========================



More information about the argus mailing list