Flow direction

Carter Bullard carter at qosient.com
Sun May 22 10:01:52 EDT 2011 

Hey Huy,
The best way to discuss what may appear to be inconsistencies, is to provide examples.
So if you have some specific records that don't seem right, please include them in your
email.

There are two fundamentals regarding the src and dst assignments for a flow record.
1) the fields assignments are the primary indication of direction, 2) the "dir" field attempts
to show confidence (presence of '?') and the basic flow of information.

Here is an example:

      StartTime Flgs  Proto      SrcAddr  Sport Dir        DstAddr  Dport SrcPkts DstPkts SrcBytes DstBytes State
09:52:52.330762  e &    tcp   10.0.1.106.53226  <?> 216.92.197.167.imaps       34      18     5684     6505   CON


Here the Src and Dst assignments are correct, but the confidence "<?>" is very low.  When the confidence is low,
the arrows will indicate the direction of any traffic in the flow.

      StartTime Flgs  Proto      SrcAddr  Sport Dir        DstAddr  Dport SrcPkts DstPkts SrcBytes DstBytes State
09:57:35.933576  e      tcp   10.0.1.106.49246   ->       10.0.1.1.afpove       2       2      148      148   CON

Here the Src and Dst assignments are correct, confidence is very high " ->".  When the confidence is high,
the dir field indicates the direction.

Usually when the dir is "<- " we know that all the flags are saying the Src and Dst assignments are correct
based on the protocol state, or whatever, but we've never seen traffic in the correct direction.

Do you have any examples that seem inconsistent?

Carter

On May 21, 2011, at 8:40 PM, Huy N. Hang wrote:

> Hi everyone,
> 
> I'm starting to wonder about the dir field produced by ra.
> 
> Since it actually shows the direction of the flow in the case of TCP, and
> it can even be "<-", do the field names "SrcAddr" and "DstAddr" remain
> significant in that case?
> 
> I mean, if SrcAddr is where the flow originates, does the dir field "<-"
> not contradict that?
> 
> Thanks!
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20110522/9f429d06/attachment.html>

More information about the argus mailing list