Need clarification about Aggregation argus decision
Carter Bullard
carter at qosient.com
Wed Aug 24 13:24:13 EDT 2011
Hey Sebas,
Yes, we changed the flow modeler in 3.0 so as not to be protocol state dependent. This is because the flow monitor needs to be resilient to manipulation and we wanted the output stream to be in start time sorted order.
So, for argus-3.0.4 and argus-3.0.5, the single record output is correct behavior.
Yes, I miss the RTTs from these flows, but all is not lost.
You can get the interpacket arrivals for the SYNs and RSTs from argus() by turning on ARGUS_GENERATE_JITTER_DATA in your argus.conf.
If that is "yes", using ra(), print the "sintpkt" and "dintpkt" variables for this flow.
Carter
On Aug 24, 2011, at 5:34 AM, el draco <eldraco at gmail.com> wrote:
> Hi guys, I'm dealing with one situation I don't clearly understand.
> Can you help me?
>
> I have these packets in a pcap file, captured with tcpdump:
> 321 1312373468.282819 xx.xx.xx.xx yy.yy.yy.yy TCP 66 59915 > 51413
> [SYN] Seq=0 Win=8192 Len=0
> 322 1312373468.282836 yy.yy.yy.yy xx.xx.xx.xx TCP 54 51413 > 59915
> [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
> 333 1312373468.806651 xx.xx.xx.xx yy.yy.yy.yy TCP 66 59915 > 51413
> [SYN] Seq=0 Win=8192 Len=0
> 334 1312373468.806673 yy.yy.yy.yy xx.xx.xx.xx TCP 54 51413 > 59915
> [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
> 343 1312373469.319212 xx.xx.xx.xx yy.yy.yy.yy TCP 62 59915 > 51413
> [SYN] Seq=0 Win=8192 Len=0
> 344 1312373469.319227 yy.yy.yy.yy xx.xx.xx.xx TCP 54 51413 > 59915
> [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
>
> In summary, this is xx.xx.xx.xx IP address tring to connect to
> yy.yy.yy.yy port 51413. This port is closed, so it gets a RST back. It
> tried three times.
>
> I'm attaching the anonimized pcap file (six-packets.pcap).
>
>
> Using argus 2.0.6.fixes.1 (debian stable argus version), with default
> argus server configuration and default ra client configuration, I get
> this output (sorry if gmail cuts the long lines):
>
> Date flow start Duration Prot Src IP Addr:Port
> Dst IP Addr:Port Flags Tos Packets Bytes Flows
> 2011-08-03 14:11:08.282 0.000 TCP 89.102.143.14:59915 ->
> 147.32.84.189:51413 STA 0.00 2 120 1
> 2011-08-03 14:11:08.806 0.000 TCP 89.102.143.14:59915 ->
> 147.32.84.189:51413 STA 0.00 2 120 1
> 2011-08-03 14:11:09.319 0.000 TCP 89.102.143.14:59915 ->
> 147.32.84.189:51413 STA 0.00 2 116 1
>
> Commands:
> argus -r six-packets.pcap -w six-packets.argus.2.0.6 -F argus.2.0.6.conf
> ra -r six-packets.argus.2.0.6 -F ra.2.0.6.conf
>
> I'm attaching the argus (argus.2.0.6.conf) and ra configuration files
> (ra.2.0.6.conf).
> Also I'm attaching the argus output file (six-packets.argus.2.0.6) and
> the ra text output file (ra.2.0.6.txt).
>
> So far, so good.
>
> But wih argus 3.0.4 (compiled), with default argus server
> configuration (I'm attaching argus.3.0.4.conf) and a simple ra client
> configuration (I'm attaching ra.3.0.4.conf), I get this output
> instead:
>
> StartTime,Dur,Proto,Trans,Flgs,SrcAddr,Sport,Dir,DstAddr,Dport,TotPkts,TotBytes,Rate,State,sTos
> 14:11:08.282819,1.036408,tcp,1, e s ,43.27.163.74,59915,
> ->,189.230.109.207,51413,6,356,4.824355,RST,0
>
> Commands:
> argus -r six-packets.pcap -w six-packets.argus.3.0.4 -F argus.3.0.4.conf
> ra -r six-packets.argus.3.0.4 -F ra.3.0.4.conf
>
>
> The main difference seams to be within the aggragation strategy. ra
> 2.0.6 output is better for me, because i need to know the time between
> SYN packets. In ra 3.0.4 output I can't know the inter-SYN-packet
> times.
>
> I tried to re-configure 3.0.4 argus and ra, but I was not able to get
> an output similar to 2.0.6. Can you help me to see how can I acchive
> this? I want argus 3.0.4 to end the flow accounting when it sees a RST
> packet.
>
> Thanks in advance, and sorry for the long mail.
> Sebas
> <ra.2.0.6.txt>
> <argus.2.0.6.conf>
> <six-packets.pcap>
> <six-packets.argus.2.0.6>
> <argus.3.0.4.conf>
> <ra.2.0.6.conf>
> <ra.3.0.4.conf>
> <ra.3.0.4.txt>
> <six-packets.argus.3.0.4>
More information about the argus
mailing list