Direction issues

Carter Bullard carter at qosient.com
Mon Dec 8 19:02:35 EST 2014


Hey John,
This is the result of the flow going idle for longer than the flow idle time.
Argus has discarded the flow cache, and when the first packet is observed,
its not part of connection establishment (neither SYN nor SYNACK), so we
don’t know what direction the flow was in.  The direction that is observed
is based on the first packet seen.

For TCP traffic, the default is like 60 seconds, this can be configured in your
argus.conf file.

The fix is to use the argus-3.0.8 clients feature to correct the direction of
flows when there is this ambiguity.  To use the feature, set this variable in 
your .rarc file.

RA_PORT_DIRECTION="services,wellknown”

The client will set the flows such that the 445 port (services) will
be the destination port.  These rules only apply when the dir is “<?>”
and should fix this specific issue.

Carter

> On Dec 8, 2014, at 4:42 PM, John T. Myers <myersj0 at gmail.com> wrote:
> 
> Hi,
> 
> I’m having trouble with flows where direction is unable to be determined. In this sample session, http://pastebin.com/LK0xhgdP, the latter parts of the session have the <?> string as the direction. Aggregating these flows ends up in creating 2 separate sessions, when it was really one.
> 
> Is there a way to troubleshoot why the direction is unable to be determined? There is no NATing, etc on the network I was testing on.
> 
> Thanks!
> John
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20141208/5560cebf/attachment.bin>


More information about the argus mailing list