Does Argus support RST state in UDP flow?

Rahimeh Khodadadi rahimeh.khodadadi at gmail.com
Fri Aug 23 05:53:04 EDT 2013 

Hi Sebas,

Thanks for your helps and quick reply.
I have a pcap file that want to extract  UDP connection which are reset
(like : UDP sent, but got ICMP unreachables or UDP sent, but timed out or a
DNS server responds errors to a queried domain)

But  as far as I see argus couldn't extract such an information, is not it?

another question is how argus make a flow from UDP packets?

Thanks,
Rahimeh


On Fri, Aug 23, 2013 at 1:29 PM, el draco <eldraco at gmail.com> wrote:

> Hi Rahimeh.
> What do you mean with rest? do you mean reset?
> UDP is stateless and transaction-oriented so there are no flag bits
> like the reset bit in TCP.
>
> When you send a UDP packet to close port, you will get an ICMP
> port-unreacheable packet back.
> In argus (unidirectional and bidirectional), that connection is seen
> like this if you use ra:
>
> ra -s +flgs -n -Z b -S localhost - "host x.x.x.x"
>
> StartTime       Dur     Proto   SrcAddr Sport   Dir     DstAddr Dport
>  State   sTos    dTos    TotPkts TotBytes        Flgs
> 2013/08/23 10:55:01.759273    0.000158      udp   y.y.y.y 1528  ->
> x.x.x.x 234  INT  0 1 42 eU
> 2013/08/23 10:55:01.759431    2.053794   icmp x.x.x.x  0x0303  ->
> y.y.y.y 0xea00  URP  192 3 210 e
>
> The state for argus is INT or initial. See man ra
> The icmp packet state is URP or Unreachable port.
>
> However, argus gives you extra information if you print the 'flgs'
> field. This field is 'eU' for the UDP flow, meaning :
> e       -  Ethernet encapsulated flow
> U      -  ICMP Unreachable event mapped to this flow
>
> The problem is that if you have multiple connections like this I do no
> t know how to find which UDP flow is related to which ICMP port.
>
> Hope this helps.
> sebas
>
>
> On Fri, Aug 23, 2013 at 8:37 AM, Rahimeh Khodadadi
> <rahimeh.khodadadi at gmail.com> wrote:
> > Hi,
> >
> > I want to know which udp flows are rest, but I couldn't see them in argus
> > file,
> > Is it possible to see RST udp flow in argus?
> >
> >
> > Thanks,
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130823/ec61b8e7/attachment.html>

More information about the argus mailing list