TCP port 0 or *?

Carter Bullard carter at qosient.com
Mon Aug 18 10:35:35 EDT 2014 

Oh my, try using argus-3.0.8 and argus-clients-3.0.8 from
the development server.  Its about to be released, only waiting
for me to find the time to finish the last pass on manages.

   http://qosient.com/argus/dev/argus-latest.tar.gz
   http://qosient.com/argus/dev/argus-clients-latest.tar.gz


Carter

On Aug 18, 2014, at 9:13 AM, John T. Myers <myersj0 at gmail.com> wrote:

> I am using version 3.0.6
> 
> Here are my results:
> ra -S 192.168.87.211:1776 - local not fragonly
> ra[25818]: 09:10:39.890034 not fragonly filter syntax error
> 
> ra -S 192.168.87.211:1776 - ip and not frag
> Still shows all packets with a ‘f’ flg set, for example, some of my output from ra:
>    09:12:52.933445  e    f      tcp     192.168.87.202.*         ->     192.168.87.230.*             1       1514   INT
>    09:12:52.936886  e           tcp     192.168.87.202.50773     ->     192.168.87.230.mysql        16       1430   FIN
>    09:12:52.942989  e i         tcp     192.168.87.202.50774     ->     192.168.87.230.mysql        15       1243   FIN
>    09:12:52.948681  e i         tcp     192.168.87.202.50775     ->     192.168.87.230.mysql        21       2576   FIN
>    09:12:52.987558  e           tcp     192.168.87.211.36295    <?>     192.168.87.230.mysql        88      33192   CON
>    09:12:53.375496  e           tcp     192.168.87.202.50776     ->     192.168.87.230.mysql        16       2045   FIN
>    09:12:53.382321  e           tcp     192.168.87.202.50777     ->     192.168.87.230.mysql        22       4287   FIN
>    09:12:53.852959  e    f      tcp     192.168.87.202.*         ->     192.168.87.230.*             1       1514   INT
> On August 18, 2014 at 9:07:37 AM, Carter Bullard (carter at qosient.com) wrote:
> 
>> Hey John,
>> I'll look at the filter.  Does the filter "local not fragonly" work ?
>> 
>> The remote argus source may not have the filter syntax support,
>> so the "local" does the filtering in the receiver.
>> 
>> Try the filter "ip and not frag" ????
>> 
>> Sorry not near any code right this second.
>> What version are you using ????
>> 
>> Carter
>> 
>> On Aug 18, 2014, at 9:02 AM, "John T. Myers" <myersj0 at gmail.com> wrote:
>> 
>>>> Also, in testing those filters ‘fragonly’ does not appear to work.
>>>> 
>>>> ra -S 192.168.87.211:1776 - fragonly
>>>> ra[25298]: 08:48:25.562475 remote Filter error
>>> 
>>> And when I run : 
>>> 
>>> ra -S 192.168.87.211:1776 - ip and frag
>>> 
>>> I get no output at all so I’m not sure if that primitive is actually filtering partial fragments out or just looking for ‘F’ flgs to filter on.
>>> 
>>> 
>>> 
>>> John
>>> 
>>> 
>>> 
>>> On August 18, 2014 at 8:40:06 AM, John T. Myers (myersj0 at gmail.com) wrote:
>>> 
>>>> Carter,
>>>> 
>>>> I’m not seeing any ‘F’ in the flgs field, but I am seeing some ‘g’aps. This collect is just from a VM where there is very little traffic. All of the partial ‘f’ragments are being caused by a MySQL connection (between MySQL Workbench and a DB that rasqlinsert is feeding into). We’re talking < 100 flows per second so I’m wondering why it’s missing the first fragmented packet.
>>>> 
>>>> 
>>>> On August 18, 2014 at 8:12:24 AM, Carter Bullard (carter at qosient.com) wrote:
>>>> 
>>>>> Hey John,
>>>>> These are partial fragments flows, where argus didn't see the first fragment packet.  The fragments don't have either a TCP or UDP header so there aren't any port numbers to generate the 5-tuple flow record.  Argus tracks fragments, but it needs to see the first one to put them all together.   You should be able to filter them out with "not fragonly" or "not frag".  
>>>>> 
>>>>> So why are you getting so many partial fragments, ie why don't you see the first one ??  Load to high so you're droppi g lots of packets??  Load balancers and your seeing only one link of the balance??  PF_RING ???  Gigamons ??  Do you see 5-tuple flows that have fragments ( 'F' in the flgs field) ?
>>>>> 
>>>>> Carter
>>>>> 
>>>>> 
>>>>> On Aug 17, 2014, at 9:20 PM, "John T. Myers" <myersj0 at gmail.com> wrote:
>>>>> 
>>>>>> I am trying to use Argus to log non-aggregated/processed flow into MySQL, but rasqlinsert sets the port numbers to 0 (or * when just using ra) whenever the “f” partial fragmentation flag is set. Is there a way to just ignore that through a filter ... because it fills up more database rows than any other flows that are being collected.
>>>>>> 
>>>>>> This happens with a simple: ra -S someipaddress:port ip 
>>>>>> 
>>>>>> Thanks!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140818/f93afe14/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140818/f93afe14/attachment.bin>

More information about the argus mailing list