Problem with the directionality of flows

el draco eldraco at gmail.com
Mon Dec 15 13:27:04 EST 2014 

Hi list. I have an issue and I hope you can help me.

I have a pcap file with botnet stuff. In the test.pcap file I'm attaching
you can find a connection made to one IP. I created this pcap by only
filtering this IP.

Using a birectional argus configuration and a
ARGUS_FLOW_STATUS_INTERVAL=3600 I get:

argus -F /etc/argus.conf -r test.pcap -w -|ra -n -Z b -r - -F /etc/ra.conf
|less

StartTime,Dur,Proto,SrcAddr,Sport,Dir,DstAddr,Dport,State,sTos,dTos,TotPkts,TotBytes,SrcBytes,Label
2012/05/25 12:30:01.862376,3588.929932,tcp,192.168.0.9,49182,
->,68.39.104.225,3080,SPA_SPA,0,0,1534,821432,51762,
2012/05/25 13:30:35.414493,3557.665283,tcp,192.168.0.9,49182,
->,68.39.104.225,3080,PA_PA,0,0,371,23272,13180,
2012/05/25 14:30:37.785205,1396.160522,tcp,192.168.0.9,49182,
->,68.39.104.225,3080,PA_PA,0,0,166,10554,6048,

So far it is ok for me.


But now when I try to obtain the UNIDIRECTIONAL flows I get (also using
ARGUS_FLOW_STATUS_INTERVAL=3600):

argus -F /etc/argus.conf.uni -r test.pcap -w -|ra -n -Z b -r - -F
/etc/ra.conf |less


StartTime,Dur,Proto,SrcAddr,Sport,Dir,DstAddr,Dport,State,sTos,dTos,TotPkts,TotBytes,SrcBytes,Label
2012/05/25 12:30:01.862376,3588.532959,tcp,192.168.0.9,49182,
->,68.39.104.225,3080,SPA_,0,,842,51762,51762,
2012/05/25 12:30:02.088594,3588.703857,tcp,192.168.0.9,49182,
->,68.39.104.225,3080,_SPA,,0,692,769670,0,
2012/05/25 13:30:35.414493,3557.665283,tcp,192.168.0.9,49182,
->,68.39.104.225,3080,_PA,,0,165,10092,0,
2012/05/25 13:30:35.416147,3557.273682,tcp,192.168.0.9,49182,
->,68.39.104.225,3080,PA_,0,,206,13180,13180,
2012/05/25 14:30:37.785205,1396.160522,tcp,192.168.0.9,49182,
->,68.39.104.225,3080,_PA,,0,72,4506,0,
2012/05/25 14:30:37.790142,1395.752808,tcp,192.168.0.9,49182,
->,68.39.104.225,3080,PA_,0,,94,6048,6048,


The problem in the last output is that the src IP addresses are all the
same. I know for sure that both hosts are sending data, but argus is
showing that all the flows originated in the same IP. What I'm doing wrong?

If you look at the TCP Flags, you can see that the flows originating in
192.168.0.9 have the correct flags like "SPA_" and the flows that should be
originating from 68.39.104.225 have the flags "_SPA". So the flags are ok
in the directionality, but not the IP addresses.

Do you know what is happening?


As a side note I saw that the UDP flows do not have this issue.


thanks
sebas


-- 
https://pgp.mit.edu/pks/lookup?op=get&search=0x9D9A358CA10F1601
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20141215/2a5a57dc/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test.pcap
Type: application/vnd.tcpdump.pcap
Size: 888418 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20141215/2a5a57dc/attachment.pcap>

More information about the argus mailing list