TCP port 0 or *?

Carter Bullard carter at qosient.com
Mon Aug 18 08:12:23 EDT 2014


Hey John,
These are partial fragments flows, where argus didn't see the first fragment packet.  The fragments don't have either a TCP or UDP header so there aren't any port numbers to generate the 5-tuple flow record.  Argus tracks fragments, but it needs to see the first one to put them all together.   You should be able to filter them out with "not fragonly" or "not frag".  

So why are you getting so many partial fragments, ie why don't you see the first one ??  Load to high so you're droppi g lots of packets??  Load balancers and your seeing only one link of the balance??  PF_RING ???  Gigamons ??  Do you see 5-tuple flows that have fragments ( 'F' in the flgs field) ?

Carter


> On Aug 17, 2014, at 9:20 PM, "John T. Myers" <myersj0 at gmail.com> wrote:
> 
> I am trying to use Argus to log non-aggregated/processed flow into MySQL, but rasqlinsert sets the port numbers to 0 (or * when just using ra) whenever the “f” partial fragmentation flag is set. Is there a way to just ignore that through a filter ... because it fills up more database rows than any other flows that are being collected.
> 
> This happens with a simple: ra -S someipaddress:port ip 
> 
> Thanks!
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140818/f977f2bc/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2443 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140818/f977f2bc/attachment.bin>


More information about the argus mailing list