ra question

Paul Halliday paul.halliday at gmail.com
Sat Jun 29 07:26:47 EDT 2013 

On Fri, Jun 28, 2013 at 9:12 PM, David Edelman <dedelman at iname.com> wrote:
> I think that the direction arrow may be confusing you. When it looks like
> this '->' it indicates that the flow started (the SYN packet came from) the
> address marked as the source. It does not indicate a lack of traffic in the
> reverse direction. If you print a bit more, you should see what you are
> expecting to see.
>
> This would be enough  ra -r file -s proto saddr sport dir daddr dport spkts
> sbytes dpkts dbytes state -Zb  - tcp and host 10.1.1.49
>
> Proto            SrcAddr  Sport   Dir            DstAddr  Dport  SrcPkts
> SrcBytes  DstPkts     DstBytes            State
>    tcp          10.1.1.49 52303     ->      199.38.183.89 ssh          27
> 3351       28         4229          SPA_SPA
>
> In this case the SYN packet starting the three-way handshake came from the
> client (10.1.1.4) and the client sent 27 packets containing 3,351 bytes to
> the server (199.38.183.89) which sent back 28 packets containing 4,229
> bytes. Both the client and the server set the SYN, PUSH, and ACK flags in
> some combination at some time during the interchange (the TCP flags are the
> logical or of all the flags that were seen.)

Wow, I wasn't even close. I get it now. I am so used to seeing:

src > dst
dst > src

that my availability bias kicked in

Thanks.

>
>
>
> --Dave
>
>
> -----Original Message-----
> From: argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu
> [mailto:argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu] On
> Behalf Of Paul Halliday
> Sent: Friday, June 28, 2013 6:48 AM
> To: argus-info
> Subject: [ARGUS] ra question
>
> If I have an established ssh session (well any kind, looked at rdp as
> well) and I run something like:
>
> ra -r file - tcp and host 10.0.0.1
>
> my output looks like:
>
> 10.0.0.1 -> 10.0.0.2
> 10.0.0.1 -> 10.0.0.2
>
> while I expect to see:
> 10.0.0.1 -> 10.0.0.2
> 10.0.0.1 <- 10.0.0.2
>
> what did I miss?
>
> --
> Paul Halliday
> http://www.pintumbler.org/
>



-- 
Paul Halliday
http://www.pintumbler.org/

More information about the argus mailing list