The direction field

Carter Bullard carter at qosient.com
Mon Jun 10 16:12:29 EDT 2013


Hey Craig,
There is only one reason for the ' ? ' in TCP direction, and
that is for this status record, argus didn't see a TCP SYN or
a SYN_ACK, for this flow.  If argus is seeing all the traffic,
then you would expect that there wouldn't be any ' ? ' for TCP,
but, there is a default 60 sec idle timeout for the TCP cache
in argus, which means if a TCP connection goes quite for a
minute, then argus will completely forget that it saw the flow.
Any subsequent traffic on the TCP will generate status records,
that will have the ' ? ' in them.

To test this, pick a few TCP ? flow records, and look to see if
these flows were active earlier in the day.  Search for the
ephemeral port number ( > 16K) thats in your sample flow record.

You can change the TCP idle timer in your argus.conf file.
But, the more you increase this idle timer, the more memory you
will use in your probe, so don't crank it up to 10 min or more,
unless you have a lot of memory.

Most windows machines kick out very late closing packets for TCP.
I've seen RSTs come out of windows xp boxes, hours after the
connection was closed…so how many packets are in the flows that
have the ' ? ' ?

If you can't find an earlier flow, then you may not be getting
all the packets.  Do any of your primitive argus records have a
'g' in the status field (record right out of argus, no racluster()) ?
That indicates that your getting gaps in the packet stream, and
will indicate that either your packet strategy is getting overrun,
or your argus is under powered.

Carter


On Jun 10, 2013, at 3:18 PM, Craig Merchant <cmerchant at responsys.com> wrote:

> Carter, thanks for such a thorough reply to my last post.  I haven’t had a chance to digest it all yet, but I certainly will.
>  
> I have a question about the direction field.  I saw an older post from November of last year about how the Netflow protocol can make it hard for Argus to determine direction because the unidirectional flow records can appear in reverse order with the same timestamp.
>  
> Are there any similar issues impacting traffic sniffed from the wire?  We use rastream to collect our data:
>  
> /usr/local/bin/rastream -S 10.230.174.40:561 -M time 5m -B 10s -w /ssd/argus/%s.argus -f /usr/local/argus/rastream.sh
>  
> The rastream.sh script launches multiple instances of racluster and then eventually a saved search in Splunk to index the output of racluster.
>  
> I’m seeing something like 60% of my flows with a direction of “<?>” or “?>” (virtually all of them on TCP traffic).  I’ve run tools to analyze the pf_ring DNA/libzero drivers and the packet loss on the 10g link is pretty minimal.  I’m just trying to understand why Argus is having difficulties figuring out the direction of those flows.  I’m also not clear on what the “?>” and “<?” signify for the direction.
>  
> Thanks!
>  
> Craig
>  
>  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130610/c9ce5492/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130610/c9ce5492/attachment.bin>


More information about the argus mailing list