Does Argus support RST state in UDP flow?
el draco
eldraco at gmail.com
Fri Aug 23 04:59:47 EDT 2013
Hi Rahimeh.
What do you mean with rest? do you mean reset?
UDP is stateless and transaction-oriented so there are no flag bits
like the reset bit in TCP.
When you send a UDP packet to close port, you will get an ICMP
port-unreacheable packet back.
In argus (unidirectional and bidirectional), that connection is seen
like this if you use ra:
ra -s +flgs -n -Z b -S localhost - "host x.x.x.x"
StartTime Dur Proto SrcAddr Sport Dir DstAddr Dport
State sTos dTos TotPkts TotBytes Flgs
2013/08/23 10:55:01.759273 0.000158 udp y.y.y.y 1528 ->
x.x.x.x 234 INT 0 1 42 eU
2013/08/23 10:55:01.759431 2.053794 icmp x.x.x.x 0x0303 ->
y.y.y.y 0xea00 URP 192 3 210 e
The state for argus is INT or initial. See man ra
The icmp packet state is URP or Unreachable port.
However, argus gives you extra information if you print the 'flgs'
field. This field is 'eU' for the UDP flow, meaning :
e - Ethernet encapsulated flow
U - ICMP Unreachable event mapped to this flow
The problem is that if you have multiple connections like this I do no
t know how to find which UDP flow is related to which ICMP port.
Hope this helps.
sebas
On Fri, Aug 23, 2013 at 8:37 AM, Rahimeh Khodadadi
<rahimeh.khodadadi at gmail.com> wrote:
> Hi,
>
> I want to know which udp flows are rest, but I couldn't see them in argus
> file,
> Is it possible to see RST udp flow in argus?
>
>
> Thanks,
More information about the argus
mailing list