INT vs REQ
Carter Bullard
carter at qosient.com
Wed Oct 23 10:54:28 EDT 2013
Sorry to have been terse in my last email, I was using my phone, …
So, check to see if this is consistent with what you are seeing.
INT - Initial observance of traffic on this flow. You
should see this for the first report of a new flow.
REQ - Requested service. This is indicated for long lived
unidirectional flows without a response.
CON - Connected service. This is indicated for bi-directional
flows, determined by direct observation of packets in both
directions, or state, in the case of TCP, seeing data
transfer states.
So for a long live uni-directional UDP like flow, you should see
the first report is an INT flow, and subsequent status flows
should be REQ.
Carter
On Oct 22, 2013, at 9:15 AM, elof2 at sentor.se wrote:
>
> Hi Carter!
>
> I just noticed this:
>
> My udp flows, when using ra -Zb, are usually CON, then there are lots of REQ and lastly there are some INT.
>
>
> The ra manual says:
> REQ|INT (requested|initial)
> This indicates that this is the initial state report for a transac-
> tion and is seen only when the argus-server is in DETAIL mode. For
> TCP connections this is REQ, indicating that a connection is being
> requested. For the connectionless protocols, such as UDP, this is
> INT.
>
>
> Why are some udp packets REQ while others are INT?
> Shouldn't all unconnected UDP packets be INT?
>
>
> (note, an old version of ra was used here: 3.0.6.2)
>
> /Elof
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20131023/9c62c56d/attachment.bin>
More information about the argus
mailing list