ra question

David Edelman dedelman at iname.com
Fri Jun 28 20:12:27 EDT 2013


I think that the direction arrow may be confusing you. When it looks like
this '->' it indicates that the flow started (the SYN packet came from) the
address marked as the source. It does not indicate a lack of traffic in the
reverse direction. If you print a bit more, you should see what you are
expecting to see.

This would be enough  ra -r file -s proto saddr sport dir daddr dport spkts
sbytes dpkts dbytes state -Zb  - tcp and host 10.1.1.49

Proto            SrcAddr  Sport   Dir            DstAddr  Dport  SrcPkts
SrcBytes  DstPkts     DstBytes            State
   tcp          10.1.1.49 52303     ->      199.38.183.89 ssh          27
3351       28         4229          SPA_SPA

In this case the SYN packet starting the three-way handshake came from the
client (10.1.1.4) and the client sent 27 packets containing 3,351 bytes to
the server (199.38.183.89) which sent back 28 packets containing 4,229
bytes. Both the client and the server set the SYN, PUSH, and ACK flags in
some combination at some time during the interchange (the TCP flags are the
logical or of all the flags that were seen.)



--Dave


-----Original Message-----
From: argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu
[mailto:argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu] On
Behalf Of Paul Halliday
Sent: Friday, June 28, 2013 6:48 AM
To: argus-info
Subject: [ARGUS] ra question

If I have an established ssh session (well any kind, looked at rdp as
well) and I run something like:

ra -r file - tcp and host 10.0.0.1

my output looks like:

10.0.0.1 -> 10.0.0.2
10.0.0.1 -> 10.0.0.2

while I expect to see:
10.0.0.1 -> 10.0.0.2
10.0.0.1 <- 10.0.0.2

what did I miss?

-- 
Paul Halliday
http://www.pintumbler.org/




More information about the argus mailing list