Does Argus support RST state in UDP flow?

Rahimeh Khodadadi rahimeh.khodadadi at gmail.com
Fri Aug 23 14:24:19 EDT 2013 

Thanks Carter,
Just a another question, for a DNS flow (port 53) which is DNS server
responds errors to a queried domain also use the command?


   ra -r argus.file - udp and icmpmap



On Fri, Aug 23, 2013 at 9:25 PM, Carter Bullard <carter at qosient.com> wrote:

> No, there is no such thing as a UDP flow that is reset.
> This does not exist.  You should use this command instead:
>
>    ra -r argus.file - udp and dst pkts 0
>
> This will show you udp flows that do not get a response.
> This will also show you udp flows that have ICMP packets as response.
>
>    ra -r argus.file - udp and icmpmap
>
> Your argus must see both sides of the flow for this technique to be useful.
>
> Carter
>
> On Aug 23, 2013, at 11:17 AM, Rahimeh Khodadadi <
> rahimeh.khodadadi at gmail.com> wrote:
>
> Hi Carter,
>
> This means, if I run command below, it is correct and work fine?
> it gives me udp flow which are reset?
>
>  ra -r argus.file - udp / src pkts 1/ dst pkts 1/ dur gt
> whatever.the.timeout.is.in.
> seconds
>
>
>
> On Fri, Aug 23, 2013 at 7:32 PM, Carter Bullard <carter at qosient.com>wrote:
>
>> Hey Sebas,
>> UDP timed out is tested in two ways.  The first is a simple UDP
>> transactional
>> failure...i.e. no response.  The second is that the duration of the UDP
>> transaction is greater than the timeout.
>>
>>    ra -r argus.file - udp and dst pkts 0
>>    ra -r argus.file - udp and src pkts 1 and dst pkts 1 and dur gt
>> whatever.the.timeout.is.in.seconds
>>
>> The lack of a response is really an availability failure, which can be
>> caused by a reachability, connectivity or availability fault.
>> Reachability
>> failure is packet didn't get to the dst, connectivity failure is a two-way
>> reachability failure, packet didn't get there or didn't make it back, and
>> an availability failure is both of these, or a condition where the
>> application isn't available, or isn't responsive.  argus can discriminate
>> between
>> all of these conditions.
>>
>> You can test both timeout conditions at the same time.
>>
>>    ra -r argus.file - udp and (dst pkts 0 or \
>>       ( src pkts 1 and dst pkts 1 and dur gt
>> whatever.the.timeout.is.in.seconds))
>>
>> (remember you may have to escape the ' ( ' and ' ) ' to get it to work
>> from your shell:
>>
>>    ra -r argus.file udp and \( dst pkts....  \)
>>
>> Where a transaction with no response generates a duration of zero, but
>> this
>> is not a reliable test, even when you're argus is configured to produce
>> nanosecond
>> timestamps.  Many situations can have the request and response marked
>> with the same timestamp, so don't use this test " dur 0 ".
>>
>> For many UDP protocols, argus uses a 6-tuple flow model, where it
>> adds the transaction sequence number to the flow key.  The most important
>> example is DNS.  We for a flow for all packets whose 5-tuple flow
>> attributes
>> match, as well as the DNS sequence number.
>>
>> Remember argus is a proof of concept project implemented with examples,
>> so if you're particular UDP transactional protocol has a sequence number,
>> like SIP for example, and we'd like to create a 6-tuple flow model for it,
>> just ask, and we can generally do that.
>>
>> Carter
>>
>>
>> On Aug 23, 2013, at 10:39 AM, el draco <eldraco at gmail.com> wrote:
>>
>> > Hi Rahimeh.
>> >
>> > Ok, so:
>> > UDP with reset, could be find as I tell you in the last email.
>> > UDP timeout (filtered port) is difficult, because UDP does not enforce
>> > you to answer. So, you can not tell the difference between filtered
>> > port (timeout) and open port (timeout). That's why nmap says
>> > open|filtered when you scaned a udp port like that. You can be sure
>> > that the port is open if you see some packets back. But that is not
>> > always the case. (nmap tries to talk the exact protocol to enforce an
>> > answer)
>> > UDP that responds erros. This depends on what you consider an error
>> > and is not something you can expect to be on a flow. Argus may help
>> > here if you
>> > store the payload of the connection. But i think it will be a manual
>> job.
>> >
>> > I'm not sure how argus creates UDP flows, maybe Carter can tell you or
>> > it is in the code.
>> > I think it is getting the 5-tupple
>> > srchost-srcport-dsthost-dstport-proto . But I'm not developing it.
>> >
>> > cheers
>> > sebas
>> >
>> > On Fri, Aug 23, 2013 at 11:53 AM, Rahimeh Khodadadi
>> > <rahimeh.khodadadi at gmail.com> wrote:
>> >> Hi Sebas,
>> >>
>> >> Thanks for your helps and quick reply.
>> >> I have a pcap file that want to extract  UDP connection which are reset
>> >> (like : UDP sent, but got ICMP unreachables or UDP sent, but timed out
>> or a
>> >> DNS server responds errors to a queried domain)
>> >>
>> >> But  as far as I see argus couldn't extract such an information, is
>> not it?
>> >>
>> >> another question is how argus make a flow from UDP packets?
>> >>
>> >> Thanks,
>> >> Rahimeh
>> >>
>> >>
>> >> On Fri, Aug 23, 2013 at 1:29 PM, el draco <eldraco at gmail.com> wrote:
>> >>>
>> >>> Hi Rahimeh.
>> >>> What do you mean with rest? do you mean reset?
>> >>> UDP is stateless and transaction-oriented so there are no flag bits
>> >>> like the reset bit in TCP.
>> >>>
>> >>> When you send a UDP packet to close port, you will get an ICMP
>> >>> port-unreacheable packet back.
>> >>> In argus (unidirectional and bidirectional), that connection is seen
>> >>> like this if you use ra:
>> >>>
>> >>> ra -s +flgs -n -Z b -S localhost - "host x.x.x.x"
>> >>>
>> >>> StartTime       Dur     Proto   SrcAddr Sport   Dir     DstAddr Dport
>> >>> State   sTos    dTos    TotPkts TotBytes        Flgs
>> >>> 2013/08/23 10:55:01.759273    0.000158      udp   y.y.y.y 1528  ->
>> >>> x.x.x.x 234  INT  0 1 42 eU
>> >>> 2013/08/23 10:55:01.759431    2.053794   icmp x.x.x.x  0x0303  ->
>> >>> y.y.y.y 0xea00  URP  192 3 210 e
>> >>>
>> >>> The state for argus is INT or initial. See man ra
>> >>> The icmp packet state is URP or Unreachable port.
>> >>>
>> >>> However, argus gives you extra information if you print the 'flgs'
>> >>> field. This field is 'eU' for the UDP flow, meaning :
>> >>> e       -  Ethernet encapsulated flow
>> >>> U      -  ICMP Unreachable event mapped to this flow
>> >>>
>> >>> The problem is that if you have multiple connections like this I do no
>> >>> t know how to find which UDP flow is related to which ICMP port.
>> >>>
>> >>> Hope this helps.
>> >>> sebas
>> >>>
>> >>>
>> >>> On Fri, Aug 23, 2013 at 8:37 AM, Rahimeh Khodadadi
>> >>> <rahimeh.khodadadi at gmail.com> wrote:
>> >>>> Hi,
>> >>>>
>> >>>> I want to know which udp flows are rest, but I couldn't see them in
>> >>>> argus
>> >>>> file,
>> >>>> Is it possible to see RST udp flow in argus?
>> >>>>
>> >>>>
>> >>>> Thanks,
>> >>
>> >>
>> >
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130823/732846ad/attachment.html>

More information about the argus mailing list