ra question
David Edelman
dedelman at iname.com
Fri Jun 28 20:12:27 EDT 2013
I think that the direction arrow may be confusing you. When it looks like
this '->' it indicates that the flow started (the SYN packet came from) the
address marked as the source. It does not indicate a lack of traffic in the
reverse direction. If you print a bit more, you should see what you are
expecting to see.
This would be enough ra -r file -s proto saddr sport dir daddr dport spkts
sbytes dpkts dbytes state -Zb - tcp and host 10.1.1.49
Proto SrcAddr Sport Dir DstAddr Dport SrcPkts
SrcBytes DstPkts DstBytes State
tcp 10.1.1.49 52303 -> 199.38.183.89 ssh 27
3351 28 4229 SPA_SPA
In this case the SYN packet starting the three-way handshake came from the
client (10.1.1.4) and the client sent 27 packets containing 3,351 bytes to
the server (199.38.183.89) which sent back 28 packets containing 4,229
bytes. Both the client and the server set the SYN, PUSH, and ACK flags in
some combination at some time during the interchange (the TCP flags are the
logical or of all the flags that were seen.)
--Dave
-----Original Message-----
From: argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu
[mailto:argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu] On
Behalf Of Paul Halliday
Sent: Friday, June 28, 2013 6:48 AM
To: argus-info
Subject: [ARGUS] ra question
If I have an established ssh session (well any kind, looked at rdp as
well) and I run something like:
ra -r file - tcp and host 10.0.0.1
my output looks like:
10.0.0.1 -> 10.0.0.2
10.0.0.1 -> 10.0.0.2
while I expect to see:
10.0.0.1 -> 10.0.0.2
10.0.0.1 <- 10.0.0.2
what did I miss?
--
Paul Halliday
http://www.pintumbler.org/
More information about the argus
mailing list