Does Argus support RST state in UDP flow?

el draco eldraco at gmail.com
Fri Aug 23 10:39:42 EDT 2013 

Hi Rahimeh.

Ok, so:
UDP with reset, could be find as I tell you in the last email.
UDP timeout (filtered port) is difficult, because UDP does not enforce
you to answer. So, you can not tell the difference between filtered
port (timeout) and open port (timeout). That's why nmap says
open|filtered when you scaned a udp port like that. You can be sure
that the port is open if you see some packets back. But that is not
always the case. (nmap tries to talk the exact protocol to enforce an
answer)
UDP that responds erros. This depends on what you consider an error
and is not something you can expect to be on a flow. Argus may help
here if you
store the payload of the connection. But i think it will be a manual job.

I'm not sure how argus creates UDP flows, maybe Carter can tell you or
it is in the code.
I think it is getting the 5-tupple
srchost-srcport-dsthost-dstport-proto . But I'm not developing it.

cheers
sebas

On Fri, Aug 23, 2013 at 11:53 AM, Rahimeh Khodadadi
<rahimeh.khodadadi at gmail.com> wrote:
> Hi Sebas,
>
> Thanks for your helps and quick reply.
> I have a pcap file that want to extract  UDP connection which are reset
> (like : UDP sent, but got ICMP unreachables or UDP sent, but timed out or a
> DNS server responds errors to a queried domain)
>
> But  as far as I see argus couldn't extract such an information, is not it?
>
> another question is how argus make a flow from UDP packets?
>
> Thanks,
> Rahimeh
>
>
> On Fri, Aug 23, 2013 at 1:29 PM, el draco <eldraco at gmail.com> wrote:
>>
>> Hi Rahimeh.
>> What do you mean with rest? do you mean reset?
>> UDP is stateless and transaction-oriented so there are no flag bits
>> like the reset bit in TCP.
>>
>> When you send a UDP packet to close port, you will get an ICMP
>> port-unreacheable packet back.
>> In argus (unidirectional and bidirectional), that connection is seen
>> like this if you use ra:
>>
>> ra -s +flgs -n -Z b -S localhost - "host x.x.x.x"
>>
>> StartTime       Dur     Proto   SrcAddr Sport   Dir     DstAddr Dport
>>  State   sTos    dTos    TotPkts TotBytes        Flgs
>> 2013/08/23 10:55:01.759273    0.000158      udp   y.y.y.y 1528  ->
>> x.x.x.x 234  INT  0 1 42 eU
>> 2013/08/23 10:55:01.759431    2.053794   icmp x.x.x.x  0x0303  ->
>> y.y.y.y 0xea00  URP  192 3 210 e
>>
>> The state for argus is INT or initial. See man ra
>> The icmp packet state is URP or Unreachable port.
>>
>> However, argus gives you extra information if you print the 'flgs'
>> field. This field is 'eU' for the UDP flow, meaning :
>> e       -  Ethernet encapsulated flow
>> U      -  ICMP Unreachable event mapped to this flow
>>
>> The problem is that if you have multiple connections like this I do no
>> t know how to find which UDP flow is related to which ICMP port.
>>
>> Hope this helps.
>> sebas
>>
>>
>> On Fri, Aug 23, 2013 at 8:37 AM, Rahimeh Khodadadi
>> <rahimeh.khodadadi at gmail.com> wrote:
>> > Hi,
>> >
>> > I want to know which udp flows are rest, but I couldn't see them in
>> > argus
>> > file,
>> > Is it possible to see RST udp flow in argus?
>> >
>> >
>> > Thanks,
>
>

More information about the argus mailing list