Directionality for protocol 50 traffic?

Jesse Bowling jessebowling at gmail.com
Thu Jul 19 13:43:57 EDT 2012 

Thank you Carter, this is exactly what I was looking for.

Thanks!

Jesse

On Thu, Jul 19, 2012 at 1:30 PM, Carter Bullard <carter at qosient.com> wrote:

> Hey Jesse,
> Sorry for the delayed response. ESP (protocol 50) is a unidirectional
> flow, used by
> IPSec, and you generally see 2 or more of these to support protected coms
> between
> 2 hosts.  In your example, you're looking at both sides of an IPSec
> tunnel.  Argus tracks
> ESP using a flow key composed of the src and dst addrs, and the SPI, which
> is the
> security parameter index, which is the encryption context id.  We put this
> SPI
> value in the dport field, and we print it out in hex.
>
> We could aggregate them into a single bi-directional ESP flow, say if the
> two halves
> have the same spi, but there is no rule that the two tunnels use the same
> spi, and
> so you don't really know if the two half-pipes are related.  So we don't
> merge them
> by default.
>
> If you want to merge them using racluster(), you need to apply a rule
> where you ignore
> the dport for port 50.  You can specify this type of aggregation rule
> in your racluster.conf,
> using something like this:
>
> RACLUSTER_AUTO_CORRECTION=yes
> filter="proto esp"       model="saddr daddr proto"
> filter=""                        model="saddr daddr proto sport dport"
>
> so, for protocol 50, we'll use a different aggregation rule than we would
> use for all the
> other traffic.
>
> Hope this helps,
>
> Carter
>
> On Jul 17, 2012, at 8:52 PM, Jesse Bowling wrote:
>
> While looking at protocol 50 traffic, I noticed that although I clustered,
> I was seeing two flows, one for each direction. Is this the nature of the
> protocol, an error in my command line invocation, or other?
>
> # racluster -R 16 -M correct -m daddr -w - - ip and not tcp and not udp
> and not icmp | rasort -r - -m bytes -N 20
>       StartTime      Flgs  Proto            SrcAddr  Sport
> Dir            DstAddr  Dport  TotPkts   TotBytes State
> 11:47:49.171437  e            50      69.74.243.200           ->
> 192.168.1.2.0x202*     4925    2993934   INT
> 00:02:55.927866  e            50        192.168.1.2           ->
> 69.74.243.200.0x202*     5625     797574   INT
>
> Cheers,
>
> Jesse
> --
> Jesse Bowling
>
>
>
>


-- 
Jesse Bowling
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120719/99e5f2d2/attachment.html>

More information about the argus mailing list