fragonly

Carter Bullard carter at qosient.com
Fri Feb 10 12:07:49 EST 2012 

So there are two kinds of fragments, from the perspective of a flow monitor.
Those that have an " offset = 0 ", where all the flow key identifiers are present in
the packet, and those fragments where " offset > 0 ", where there are no
proto or port identifiers available.   Argus tracks fragments such that all the
frags get accounted into the "parent" flow, the flow identified by the fragment
where the " offset = 0 ".  Fragments can come in out of order, so there is a lot
of fragment tracking logic in argus.

If for some reason the " offset = 0 " fragment is not seen, either because it was
dropped, or it was never sent,  argus ends up tracking a flow that is not
a real 5-tuple flow.  These are very important from a security and performance
perspective, because end system's spend more memory and processing
dealing with a fragment where the " offset = 0 " wasn't received.

" frag " means any flow where fragments were seen, which includes flows
regardless of whether the " offset = 0 " fragment was seen or not.

" fragonly " means flows for fragments where the " offset = 0 " fragment was
not seen.  If its working, they should have a proto of " ip ".

Carter



On Feb 9, 2012, at 9:44 AM, elof2 at sentor.se wrote:

> 
> The ra manual says:
> 
>  Primitives  that select flows that experienced fragmentation.
>  frag and fragonly
> 
> 
> If I run 'ra -nr argus.log - frag', I only get a couple of lines as output. Good.
> 
> If I run 'ra -nr argus.log - fragonly', I get equally many lines of output as if I use no filter at all.
> 
> #ra -nr /usr/sentor/48h/argus.log - fragonly | wc -l
>  565648
> #ra -Zb -nr argus.log - | wc -l
>  565648
> 
> 
> What is the 'fragonly' keyword meant to do?
> 
> /Elof

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120210/bdca4884/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4367 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120210/bdca4884/attachment.bin>

More information about the argus mailing list