Direction issues
John T. Myers
myersj0 at gmail.com
Tue Dec 9 14:16:50 EST 2014
Carter,
I’ve created a .rarc file in the home directory of the user running rasqlinsert and this problem still persists. How can I confirm that the file is being parsed and being used by the ra* client?
Thanks,
John
> On Dec 8, 2014, at 7:02 PM, Carter Bullard <carter at qosient.com> wrote:
>
> Hey John,
> This is the result of the flow going idle for longer than the flow idle time.
> Argus has discarded the flow cache, and when the first packet is observed,
> its not part of connection establishment (neither SYN nor SYNACK), so we
> don’t know what direction the flow was in. The direction that is observed
> is based on the first packet seen.
>
> For TCP traffic, the default is like 60 seconds, this can be configured in your
> argus.conf file.
>
> The fix is to use the argus-3.0.8 clients feature to correct the direction of
> flows when there is this ambiguity. To use the feature, set this variable in
> your .rarc file.
>
> RA_PORT_DIRECTION="services,wellknown”
>
> The client will set the flows such that the 445 port (services) will
> be the destination port. These rules only apply when the dir is “<?>”
> and should fix this specific issue.
>
> Carter
>
>> On Dec 8, 2014, at 4:42 PM, John T. Myers <myersj0 at gmail.com> wrote:
>>
>> Hi,
>>
>> I’m having trouble with flows where direction is unable to be determined. In this sample session, http://pastebin.com/LK0xhgdP, the latter parts of the session have the <?> string as the direction. Aggregating these flows ends up in creating 2 separate sessions, when it was really one.
>>
>> Is there a way to troubleshoot why the direction is unable to be determined? There is no NATing, etc on the network I was testing on.
>>
>> Thanks!
>> John
>>
>>
>
More information about the argus
mailing list