Argus 3.0.2 unable to remember the direction of a connection (resolved by 3.0.3.22)
John Gerth
gerth at graphics.stanford.edu
Wed Feb 9 14:39:25 EST 2011
On 2/9/2011 6:43 AM, Cees wrote:
>
> Hello list,
>
> I encountered a strange bug in Argus where Argus is unable to remember the direction of a connection.
> At first the direction is correct, but half-way through the session Argus 'forgets' the direction.
>
> I managed to create a test case, see the attachments.
>
> correct.pcap contains a TCP session of 52 packets between 172.16.12.165 port 1051 and 192.168.234.166 port 8080
> test-case.pcap contains the same session, but with two additional packets on port 1058. In the original PCAP the packets were part of a complete
> session, but these two packets are enough to confuse Argus.
>
This looks like a fixed bug as I get the behavior you want with the latest argus-3.0.3.22
--
John Gerth gerth at graphics.stanford.edu Gates 378 (650) 725-3273 fax 723-0033
***********
argus-3.0.3.22 $ sbin/argus -F /dev/null -r ~/win/test-case.pcap -w - | bin/ra -nnr -
StartTime Flgs Proto SrcAddr Sport Dir DstAddr Dport SrcPkts DstPkts TotAppByte State NStrok Dur
06:55:05.196 e 6 172.16.12.165.1051 -> 192.168.234.166.8080 10 10 0 CON 1.278
06:55:10.283 e 6 192.168.234.166.8080 ?> 172.16.12.165.1058 1 0 0 CON 0.000
06:55:40.595 e 6 192.168.234.166.8080 <? 172.16.12.165.1058 0 1 0 CON 0.000
06:56:03.903 e 6 172.16.12.165.1051 -> 192.168.234.166.8080 2 2 0 CON 0.275
06:56:34.920 e 6 172.16.12.165.1051 -> 192.168.234.166.8080 2 2 0 CON 0.420
06:57:05.963 e r 6 172.16.12.165.1051 -> 192.168.234.166.8080 2 2 0 CON 0.436
06:57:37.007 e 6 172.16.12.165.1051 -> 192.168.234.166.8080 2 2 0 CON 0.452
06:58:08.055 e 6 172.16.12.165.1051 -> 192.168.234.166.8080 2 2 0 CON 0.244
06:58:39.115 e 6 172.16.12.165.1051 -> 192.168.234.166.8080 2 2 0 CON 0.243
06:59:10.154 e 6 172.16.12.165.1051 -> 192.168.234.166.8080 2 2 0 CON 0.264
06:59:41.291 e 6 172.16.12.165.1051 -> 192.168.234.166.8080 2 2 0 CON 0.296
11:35:07.440 man 0. 0 23. 1 54 12 9887296 STP 0.000
argus-3.0.3.22 $ sbin/argus -F /dev/null -r ~/win/correct.pcap -w - | bin/ra -nnr -
StartTime Flgs Proto SrcAddr Sport Dir DstAddr Dport SrcPkts DstPkts TotAppByte State NStrok Dur
06:55:05.196 e 6 172.16.12.165.1051 -> 192.168.234.166.8080 10 10 0 CON 1.278
06:56:03.903 e 6 172.16.12.165.1051 -> 192.168.234.166.8080 2 2 0 CON 0.275
06:56:34.920 e 6 172.16.12.165.1051 -> 192.168.234.166.8080 2 2 0 CON 0.420
06:57:05.963 e r 6 172.16.12.165.1051 -> 192.168.234.166.8080 2 2 0 CON 0.436
06:57:37.007 e 6 172.16.12.165.1051 -> 192.168.234.166.8080 2 2 0 CON 0.452
06:58:08.055 e 6 172.16.12.165.1051 -> 192.168.234.166.8080 2 2 0 CON 0.244
06:58:39.115 e 6 172.16.12.165.1051 -> 192.168.234.166.8080 2 2 0 CON 0.243
06:59:10.154 e 6 172.16.12.165.1051 -> 192.168.234.166.8080 2 2 0 CON 0.264
06:59:41.291 e 6 172.16.12.165.1051 -> 192.168.234.166.8080 2 2 0 CON 0.296
11:35:24.481 man 0. 0 30. 1 52 10 9885624 STP 0.000
More information about the argus
mailing list