Flow direction

Huy N. Hang hangh at cs.ucr.edu
Sun May 22 11:55:40 EDT 2011 

Hi Carter,

My apologies for not being clear. I haven't seen any inconsistencies yet.
I was only wondering as to why the dir field might say "<-" to indicate
flow direction from destination to source.

You actually have answered my question very clearly. Thanks very much!


> Hey Huy,
> The best way to discuss what may appear to be inconsistencies, is to
> provide examples.
> So if you have some specific records that don't seem right, please include
> them in your
> email.
>
> There are two fundamentals regarding the src and dst assignments for a
> flow record.
> 1) the fields assignments are the primary indication of direction, 2) the
> "dir" field attempts
> to show confidence (presence of '?') and the basic flow of information.
>
> Here is an example:
>
>       StartTime Flgs  Proto      SrcAddr  Sport Dir        DstAddr  Dport
> SrcPkts DstPkts SrcBytes DstBytes State
> 09:52:52.330762  e &    tcp   10.0.1.106.53226  <?> 216.92.197.167.imaps
>     34      18     5684     6505   CON
>
>
> Here the Src and Dst assignments are correct, but the confidence "<?>" is
> very low.  When the confidence is low,
> the arrows will indicate the direction of any traffic in the flow.
>
>       StartTime Flgs  Proto      SrcAddr  Sport Dir        DstAddr  Dport
> SrcPkts DstPkts SrcBytes DstBytes State
> 09:57:35.933576  e      tcp   10.0.1.106.49246   ->       10.0.1.1.afpove
>      2       2      148      148   CON
>
> Here the Src and Dst assignments are correct, confidence is very high "
> ->".  When the confidence is high,
> the dir field indicates the direction.
>
> Usually when the dir is "<- " we know that all the flags are saying the
> Src and Dst assignments are correct
> based on the protocol state, or whatever, but we've never seen traffic in
> the correct direction.
>
> Do you have any examples that seem inconsistent?
>
> Carter
>
> On May 21, 2011, at 8:40 PM, Huy N. Hang wrote:
>
>> Hi everyone,
>>
>> I'm starting to wonder about the dir field produced by ra.
>>
>> Since it actually shows the direction of the flow in the case of TCP,
>> and
>> it can even be "<-", do the field names "SrcAddr" and "DstAddr" remain
>> significant in that case?
>>
>> I mean, if SrcAddr is where the flow originates, does the dir field "<-"
>> not contradict that?
>>
>> Thanks!
>>
>>
>
>


==================================================
I swear to all that is holy that one day,
I shall use Elvish and/or Klingon alphabets
to name the variables in my research papers!
Revenge can never be more elegant or sweet!
==================================================
Huy N. Hang, Ph.D. student,
Department of Computer Science and Engineering.
U.C. Riverside
==================================================

More information about the argus mailing list