Search filter, UDP, INT/CON

Carter Bullard carter at
Fri Apr 29 12:12:35 EDT 2011

Hey gentle people,
OK, so I have fixed the 'con' filter item, and 'init' is now equivalent to 'start'.
There is some cleanup work to do on all these states, so if you see something that is amiss,
don't hesitate to send to the list.

This has uncovered a bug in argus, however.  argus() is reporting most records as 'status',
even thought they may be starting records or status records.  Which means, that currently,
some argus data is incomplete, and I have a bug to fix in argus().
The clients should be fine now.

I'll upload new client software in an hour or so.

Just as a reminder, when there is a question on filters, be sure and use the "-b" option to the ra* program, so that we can
see the compiler output, in the bug report.  Sometimes that helps in understanding if there is really an error.


On Apr 28, 2011, at 7:16 PM, Carter Bullard wrote:

> The 'con' term should match flows that are 'connected'.  For UDP, that would be " src pkts gt 0 and dst pkts gt 0 ".
> I'll go through the flow state indicators tonight as well.
> Carter
> On Apr 28, 2011, at 10:26 AM, elof2 at wrote:
>> On Thu, 28 Apr 2011, Jesper Skou Jensen wrote:
>>> I'm trying to do a search for UDP packages that are INT, alternative not INT, but I can't quite figure out how to do this.
>>> Is it possible to do this with ra directly?
>> Hi Jesper!
>> I thought that a simple 'ra -r log.argus - udp and con' would do the trick, but apparently not. :-(
>> The manual only state this:
>> Ra  filter expressions support primitives that are specific to flow states and can be used to select flow records that were in these states at the time they were generated.  normal, wait, timeout, est or con
>> Apparently, flows are only associated with tcp.
>> There seem to be no primitives for matching connected UDP connections.
>> A question related to the above:
>> What is the difference between 'est' and 'con' ?
>> Both seem to match the same thing, established TCP connections.
>> /Elof

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4367 bytes
Desc: not available
URL: <>

More information about the argus mailing list