INT vs REQ
elof2 at sentor.se
elof2 at sentor.se
Wed Oct 23 15:10:20 EDT 2013
No worries!
I'm really hoping I'll have some free hours some day to create and send
you some argus-logs/pcaps to test, and perform some testing of my own.
Thanks for your swift responses and code changes!
/Elof
On Wed, 23 Oct 2013, Carter Bullard wrote:
> Sorry to have been terse in my last email, I was using my phone, …
> So, check to see if this is consistent with what you are seeing.
>
> INT - Initial observance of traffic on this flow. You
> should see this for the first report of a new flow.
>
> REQ - Requested service. This is indicated for long lived
> unidirectional flows without a response.
>
> CON - Connected service. This is indicated for bi-directional
> flows, determined by direct observation of packets in both
> directions, or state, in the case of TCP, seeing data
> transfer states.
>
> So for a long live uni-directional UDP like flow, you should see
> the first report is an INT flow, and subsequent status flows
> should be REQ.
>
> Carter
>
>
> On Oct 22, 2013, at 9:15 AM, elof2 at sentor.se wrote:
>
>>
>> Hi Carter!
>>
>> I just noticed this:
>>
>> My udp flows, when using ra -Zb, are usually CON, then there are lots of REQ and lastly there are some INT.
>>
>>
>> The ra manual says:
>> REQ|INT (requested|initial)
>> This indicates that this is the initial state report for a transac-
>> tion and is seen only when the argus-server is in DETAIL mode. For
>> TCP connections this is REQ, indicating that a connection is being
>> requested. For the connectionless protocols, such as UDP, this is
>> INT.
>>
>>
>> Why are some udp packets REQ while others are INT?
>> Shouldn't all unconnected UDP packets be INT?
>>
>>
>> (note, an old version of ra was used here: 3.0.6.2)
>>
>> /Elof
>>
>
>
More information about the argus
mailing list