[argus]how can i get all the tcp syn request

Tue Sep 7 06:10:22 EDT 2010

Thanks for your help ,but it seems the problem have not been solved.

All the data of argus is stored in  mysql database, I　want to get all the syn packages from the mysql database .
I take a test, I did a syn scan at a host(192.168.11.25)  with NMAP  using -sS options in another host(192.168.19.14) .  At the same time, using  tcpdump in the target host ,I see all the package are syn package , but in the mysql db ,i see all the package are marked with RST. Is there any mistake of argus when it put the data to mysql.

There are the output of tcpdumo below.

01:14:32.215260 IP 192.168.19.14.54903 > 192.168.11.25.19101: S 878641122:878641122(0) win 4096 <mss 1460>
01:14:32.215261 IP 192.168.19.14.54903 > 192.168.11.25.427: S 878641122:878641122(0) win 3072 <mss 1460>
01:14:32.215307 IP 192.168.19.14.54903 > 192.168.11.25.10012: S 878641122:878641122(0) win 2048 <mss 1460>
01:14:32.215414 IP 192.168.19.14.54903 > 192.168.11.25.9009: S 878641122:878641122(0) win 4096 <mss 1460>
01:14:32.215460 IP 192.168.19.14.54903 > 192.168.11.25.19101: S 878641122:878641122(0) win 4096 <mss 1460>
01:14:32.215544 IP 192.168.19.14.54903 > 192.168.11.25.4445: S 878641122:878641122(0) win 2048 <mss 1460>
01:14:32.215607 IP 192.168.19.14.54903 > 192.168.11.25.3869: S 878641122:878641122(0) win 2048 <mss 1460>
01:14:32.215683 IP 192.168.19.14.54903 > 192.168.11.25.10012: S 878641122:878641122(0) win 2048 <mss 1460>
01:14:32.215746 IP 192.168.19.14.54903 > 192.168.11.25.4445: S 878641122:878641122(0) win 2048 <mss 1460>
01:14:32.215747 IP 192.168.19.14.54903 > 192.168.11.25.992: S 878641122:878641122(0) win 3072 <mss 1460>
01:14:32.215801 IP 192.168.19.14.54903 > 192.168.11.25.543: S 878641122:878641122(0) win 2048 <mss 1460>

There is the output image  from the mysql database below ,if you do not see the image ,you can see  it in the attachment.

Is there any way can I get all the syn package from the mysql db ?  Thank you all very much !

2010-09-07 

shallwe19 

发件人： Carter Bullard 
发送时间： 2010-09-04  04:29:06 
收件人： Paul Schmehl 
抄送： shallwe19; argus-info 
主题： Re: [ARGUS] [argus]how can i get all the tcp syn request 

Hey Guys,
To get just tcp flows that had the syn:
   ra -ZS xxx - syn
To get tcp flows that had the syn or the synack argus states:
   ra -ZS xxx - syn or synack
To get flows that had tcp flags ack and push:
   ra - ack and push
The "Z" flag by itself just modifies how the "state" field is printed.
Carter
On Sep 3, 2010, at 3:11 PM, Paul Schmehl wrote:
> --On Friday, September 03, 2010 14:44:37 +0800 shallwe19 <shallwe19 at gmail.com> wrote:
> 
>> 
>> sorry to interrupt you ,but will anybody tell me ,how can i get all the tcp
>> syn request .
>> it seems ,when i run " ra -ZS xxx",i got some udp request
>> 
>> anyone can help me ?
> 
> ra -Zs xxx"
> 
> -- 
> Paul Schmehl, Senior Infosec Analyst
> As if it wasn't already obvious, my opinions
> are my own and not those of my employer.
> *******************************************
> "It is as useless to argue with those who have
> renounced the use of reason as to administer
> medication to the dead." Thomas Jefferson
> 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100907/5f2e56bb/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Catch16.jpg
Type: image/jpeg
Size: 464473 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100907/5f2e56bb/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: argus_db.png
Type: application/octet-stream
Size: 44625 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100907/5f2e56bb/attachment.obj>