state
Carter Bullard
carter at qosient.com
Tue Nov 6 08:53:48 EST 2012
Hey CS Lee,
All the flags are listed in the ra.1 man page under the -Z option description.
The Z option prints the TCP flags that were seen, and there are only 8 flags.
The thing is that the expected states are any of the 8 TCP flag values, that
are concatenated together, then there is a '_' to separate the src and dst.
That isn't mentioned in the manpage, so I'll have to fix that.
The format of the resulting Status field when using the -Zb option is:
State = [flag[flag[flag]]][_][flag[flag[flag]]]
flag = [F,S,R,P,A,U,7,8]
with examples of
SAPF_SAPF
S
SA
SR
S_R
Now there are a lot of states that you can get without the -Z -z option that don't appear
to be documented. Let me respond to that later today.
Carter
On Nov 6, 2012, at 4:35 AM, CS Lee <geek00l at gmail.com> wrote:
> hi Carter,
>
> Where can I find the list of the state when using -Z b, is the list in ra.1 a complete one because I have seen some of the states are not documented there. It would be very useful for users to learn about all the states that are extracted by argus.
>
> Thank you.
>
> --
> Best Regards,
>
> CS Lee<geek00L[at]gmail.com>
>
> http://geek00l.blogspot.com
> http://defcraft.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20121106/41d7609a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2589 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20121106/41d7609a/attachment.bin>
More information about the argus
mailing list