Need clarification about Aggregation argus decision
el draco
eldraco at gmail.com
Wed Aug 24 05:34:04 EDT 2011
Hi guys, I'm dealing with one situation I don't clearly understand.
Can you help me?
I have these packets in a pcap file, captured with tcpdump:
321 1312373468.282819 xx.xx.xx.xx yy.yy.yy.yy TCP 66 59915 > 51413
[SYN] Seq=0 Win=8192 Len=0
322 1312373468.282836 yy.yy.yy.yy xx.xx.xx.xx TCP 54 51413 > 59915
[RST, ACK] Seq=1 Ack=1 Win=0 Len=0
333 1312373468.806651 xx.xx.xx.xx yy.yy.yy.yy TCP 66 59915 > 51413
[SYN] Seq=0 Win=8192 Len=0
334 1312373468.806673 yy.yy.yy.yy xx.xx.xx.xx TCP 54 51413 > 59915
[RST, ACK] Seq=1 Ack=1 Win=0 Len=0
343 1312373469.319212 xx.xx.xx.xx yy.yy.yy.yy TCP 62 59915 > 51413
[SYN] Seq=0 Win=8192 Len=0
344 1312373469.319227 yy.yy.yy.yy xx.xx.xx.xx TCP 54 51413 > 59915
[RST, ACK] Seq=1 Ack=1 Win=0 Len=0
In summary, this is xx.xx.xx.xx IP address tring to connect to
yy.yy.yy.yy port 51413. This port is closed, so it gets a RST back. It
tried three times.
I'm attaching the anonimized pcap file (six-packets.pcap).
Using argus 2.0.6.fixes.1 (debian stable argus version), with default
argus server configuration and default ra client configuration, I get
this output (sorry if gmail cuts the long lines):
Date flow start Duration Prot Src IP Addr:Port
Dst IP Addr:Port Flags Tos Packets Bytes Flows
2011-08-03 14:11:08.282 0.000 TCP 89.102.143.14:59915 ->
147.32.84.189:51413 STA 0.00 2 120 1
2011-08-03 14:11:08.806 0.000 TCP 89.102.143.14:59915 ->
147.32.84.189:51413 STA 0.00 2 120 1
2011-08-03 14:11:09.319 0.000 TCP 89.102.143.14:59915 ->
147.32.84.189:51413 STA 0.00 2 116 1
Commands:
argus -r six-packets.pcap -w six-packets.argus.2.0.6 -F argus.2.0.6.conf
ra -r six-packets.argus.2.0.6 -F ra.2.0.6.conf
I'm attaching the argus (argus.2.0.6.conf) and ra configuration files
(ra.2.0.6.conf).
Also I'm attaching the argus output file (six-packets.argus.2.0.6) and
the ra text output file (ra.2.0.6.txt).
So far, so good.
But wih argus 3.0.4 (compiled), with default argus server
configuration (I'm attaching argus.3.0.4.conf) and a simple ra client
configuration (I'm attaching ra.3.0.4.conf), I get this output
instead:
StartTime,Dur,Proto,Trans,Flgs,SrcAddr,Sport,Dir,DstAddr,Dport,TotPkts,TotBytes,Rate,State,sTos
14:11:08.282819,1.036408,tcp,1, e s ,43.27.163.74,59915,
->,189.230.109.207,51413,6,356,4.824355,RST,0
Commands:
argus -r six-packets.pcap -w six-packets.argus.3.0.4 -F argus.3.0.4.conf
ra -r six-packets.argus.3.0.4 -F ra.3.0.4.conf
The main difference seams to be within the aggragation strategy. ra
2.0.6 output is better for me, because i need to know the time between
SYN packets. In ra 3.0.4 output I can't know the inter-SYN-packet
times.
I tried to re-configure 3.0.4 argus and ra, but I was not able to get
an output similar to 2.0.6. Can you help me to see how can I acchive
this? I want argus 3.0.4 to end the flow accounting when it sees a RST
packet.
Thanks in advance, and sorry for the long mail.
Sebas
-------------- next part --------------
08-24-11 11:11:45.421889 man 127.0.1.1 v2.0 1 0 0 0 0 0 STA
08-03-11 14:11:08.282819 tcp 43.27.163.74.59915 -> 189.230.109.207.51413 1 1 66 54 RST
08-03-11 14:11:08.806651 tcp 43.27.163.74.59915 -> 189.230.109.207.51413 1 1 66 54 RST
08-03-11 14:11:09.319212 tcp 43.27.163.74.59915 -> 189.230.109.207.51413 1 1 62 54 RST
08-24-11 11:11:45.435513 man 127.0.1.1 v2.0 4 0 6 0 356 3 SHT
-------------- next part --------------
A non-text attachment was scrubbed...
Name: argus.2.0.6.conf
Type: application/octet-stream
Size: 9259 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20110824/238b7ef0/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: six-packets.pcap
Type: application/octet-stream
Size: 476 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20110824/238b7ef0/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: six-packets.argus.2.0.6
Type: application/octet-stream
Size: 828 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20110824/238b7ef0/attachment-0002.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: argus.3.0.4.conf
Type: application/octet-stream
Size: 19860 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20110824/238b7ef0/attachment-0003.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ra.2.0.6.conf
Type: application/octet-stream
Size: 9826 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20110824/238b7ef0/attachment-0004.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ra.3.0.4.conf
Type: application/octet-stream
Size: 2021 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20110824/238b7ef0/attachment-0005.obj>
-------------- next part --------------
StartTime,Dur,Proto,Trans,Flgs,SrcAddr,Sport,Dir,DstAddr,Dport,TotPkts,TotBytes,Rate,State,sTos
14:11:08.282819,1.036408,tcp,1, e s ,43.27.163.74,59915, ->,189.230.109.207,51413,6,356,4.824355,RST,0
-------------- next part --------------
A non-text attachment was scrubbed...
Name: six-packets.argus.3.0.4
Type: application/octet-stream
Size: 512 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20110824/238b7ef0/attachment-0006.obj>
More information about the argus
mailing list