Search filter, UDP, INT/CON
Carter Bullard
carter at qosient.com
Thu Apr 28 19:16:38 EDT 2011
The 'con' term should match flows that are 'connected'. For UDP, that would be " src pkts gt 0 and dst pkts gt 0 ".
I'll go through the flow state indicators tonight as well.
Carter
On Apr 28, 2011, at 10:26 AM, elof2 at sentor.se wrote:
>
> On Thu, 28 Apr 2011, Jesper Skou Jensen wrote:
>> I'm trying to do a search for UDP packages that are INT, alternative not INT, but I can't quite figure out how to do this.
>>
>> Is it possible to do this with ra directly?
>
> Hi Jesper!
>
> I thought that a simple 'ra -r log.argus - udp and con' would do the trick, but apparently not. :-(
>
>
> The manual only state this:
> Ra filter expressions support primitives that are specific to flow states and can be used to select flow records that were in these states at the time they were generated. normal, wait, timeout, est or con
>
>
> Apparently, flows are only associated with tcp.
> There seem to be no primitives for matching connected UDP connections.
>
>
>
> A question related to the above:
> What is the difference between 'est' and 'con' ?
> Both seem to match the same thing, established TCP connections.
>
> /Elof
>
More information about the argus
mailing list