Direction and IP/TCP timeout settings

Russ Harvey russ-harvey at ucr.edu
Sat Jul 13 13:08:05 EDT 2013


Just to chime in, we are seeing similar direction issues where tcp flows are
showing as '->' rather than the expected '<->' This makes it difficult to
distinguish between legitimate (http, for example) traffic and scanning. We are
also seeing a lot of 'd' and 's' flags when using ra tools to look at the
capture files, so we would like to understand if there is something wrong with
our implementation, something wrong with our argus configuration, or just what.
We are capturing traffic via fiber taps on our network edges also using
pf_ring+dna.

Thanks,
--russ

On Fri, Jul 12, 2013 at 09:36:56AM -0400, Carter Bullard wrote:
>    Hmmmm, do the new timeouts change the direction problem?
>    That will be the real test, if the memory issues aren't showing
>    themselves,
>    the cool, as long as your traffic looks better.
>    If not, I'll take a look.  Never know where things break down.
>    In some cases, we'll try to make the direction indicator match the
>    traffic,
>    with the central character indicating the confidence.  So, when there is
>    a " ? ", the < or > should change to indicate direction of traffic, since
>    the assignment of flow direction isn't " on ".
>    Carter
>    On Jul 11, 2013, at 7:28 PM, Craig Merchant <cmerchant at responsys.com>
>    wrote:
> 
>      Hey, Carter*
>       
>      We*re finding that for about 70% of our flows, Argus can*t figure out
>      the direction.  From previous posts, it would seem that the 60 second
>      TCP session timeout is too short.  If I understand correctly, a flow
>      longer than 60 seconds will have its session timeout in the cache and
>      then argus can*t really determine what the direction is.
>       
>      The argus.conf file warns of the hit on memory if those settings are
>      adjusted from the defaults.  I*ve been steadily increasing the TCP and
>      IP timeout values and watching to see if memory consumption jumps up
>      dramatically or if we*re seeing less events where the direction is
>      uncertain.
>       
>      I*ve gone as high up as two hour session timeout.  We do something like
>      2.5-8 Gbps 24 hours a day, so I would expect to see a huge increase in
>      Argus memory consumption when increase the timeout value.  The machine
>      has like 64 GB of memory and top says argus is only using .2%. 
>       
>      The settings look like:
>       
>      ARGUS_IP_TIMEOUT=3600
>      ARGUS_TCP_TIMEOUT=7200
>      #ARGUS_ICMP_TIMEOUT=5
>      #ARGUS_IGMP_TIMEOUT=30
>      #ARGUS_FRAG_TIMEOUT=5
>      #ARGUS_ARP_TIMEOUT=5
>      #ARGUS_OTHER_TIMEOUT=30
>       
>      Am I doing something wrong here?  Is there some other setting I need to
>      enable to increase that timeout value?
>       
>      Also, what*s the difference between a direction value of ?> vs <?>?
>       
>      Thanks!
>       
>      Craig





More information about the argus mailing list