Directionality for protocol 50 traffic?

Carter Bullard carter at qosient.com
Thu Jul 19 13:30:13 EDT 2012 

Hey Jesse,
Sorry for the delayed response. ESP (protocol 50) is a unidirectional flow, used by
IPSec, and you generally see 2 or more of these to support protected coms between
2 hosts.  In your example, you're looking at both sides of an IPSec tunnel.  Argus tracks
ESP using a flow key composed of the src and dst addrs, and the SPI, which is the
security parameter index, which is the encryption context id.  We put this SPI
value in the dport field, and we print it out in hex.

We could aggregate them into a single bi-directional ESP flow, say if the two halves
have the same spi, but there is no rule that the two tunnels use the same spi, and
so you don't really know if the two half-pipes are related.  So we don't merge them
by default.

If you want to merge them using racluster(), you need to apply a rule where you ignore
the dport for port 50.  You can specify this type of aggregation rule in your racluster.conf,
using something like this:

RACLUSTER_AUTO_CORRECTION=yes
filter="proto esp"       model="saddr daddr proto"
filter=""                        model="saddr daddr proto sport dport"

so, for protocol 50, we'll use a different aggregation rule than we would use for all the
other traffic.

Hope this helps,

Carter 

On Jul 17, 2012, at 8:52 PM, Jesse Bowling wrote:

> While looking at protocol 50 traffic, I noticed that although I clustered, I was seeing two flows, one for each direction. Is this the nature of the protocol, an error in my command line invocation, or other?
> 
> # racluster -R 16 -M correct -m daddr -w - - ip and not tcp and not udp and not icmp | rasort -r - -m bytes -N 20
>       StartTime      Flgs  Proto            SrcAddr  Sport   Dir            DstAddr  Dport  TotPkts   TotBytes State
> 11:47:49.171437  e            50      69.74.243.200           ->        192.168.1.2.0x202*     4925    2993934   INT
> 00:02:55.927866  e            50        192.168.1.2           ->      69.74.243.200.0x202*     5625     797574   INT
> 
> Cheers,
> 
> Jesse
> -- 
> Jesse Bowling
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120719/b747df3c/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4367 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120719/b747df3c/attachment.bin>

More information about the argus mailing list