Record direction and missed SYN
Carter Bullard
carter at qosient.com
Tue Sep 11 20:28:26 EDT 2012
Hey Rafael,
The SYN_ACK won't be used as definitive for the direction, unless there is additional traffic to indicate that its a real connection. Single SYN_ACK can be a scan strategy, so we don't want to reverse he flow direction in his case. If this isn't the correct behavor, then we've got a bug.
Thanks for the packet file, I'll check it out tonight !!!
Carter
On Sep 11, 2012, at 11:46 AM, Rafael Barbosa <rrbarbosa at gmail.com> wrote:
> Hi,
>
> I am running into another problem with the reversed record directions. Now I have a flow with a single record were the SYN packet is missing (i.e., the first captured packet is a SYN-ACK).
>
> After creating the argus dump and reading it with ra, I get the following:
> $> argus -r bug.pcap -w bug.argus
> $> ra -r bug.argus
> 09:43:42.524434 e tcp X.X.X.X.10502 -> Y.Y.Y.Y.43539 10 3312 FIN
>
> So argus is using the source of the SYN-ACK packet as 'client' and the destination as 'server', while the opposite would be the correct.
>
> I uploaded the bug.pcap to the server.
>
> Best regards,
> Rafael Barbosa
> http://www.ewi.utwente.nl/~barbosarr/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120911/b2a86fab/attachment.html>
More information about the argus
mailing list