Problem with the directionality of flows

el draco eldraco at gmail.com
Tue Dec 16 09:36:20 EST 2014 

Thanks Carter! It is almost working. Let me show the output of different
ways of printing the info.

argus.conf is the the one using ARGUS_FLOW_TYPE="Bidirectional"
argus.conf.uni is the one using ARGUS_FLOW_TYPE="Unidirectional"

1) Bidirectional and -M uni
argus -F /etc/argus.conf -r test.pcap -w -|ra -n -Z b -r - -F /etc/ra.conf
-M uni

StartTime,Dur,Proto,SrcAddr,Sport,Dir,DstAddr,Dport,State,sTos,dTos,TotPkts,TotBytes,SrcBytes,Label
2012/05/25 12:30:01.862376,3588.532959,tcp,192.168.0.9,49182,
->,68.39.104.225,3080,SPA_SPA,0,0,842,51762,51762,
2012/05/25 12:30:02.088594,3588.703857,tcp,68.39.104.225,3080,
->,192.168.0.9,49182,SPA_SPA,0,0,692,769670,769670,
2012/05/25 13:30:35.416147,3557.273682,tcp,192.168.0.9,49182,
->,68.39.104.225,3080,PA_PA,0,0,206,13180,13180,
2012/05/25 13:30:35.414493,3557.665283,tcp,68.39.104.225,3080,
->,192.168.0.9,49182,PA_PA,0,0,165,10092,10092,
2012/05/25 14:30:37.790142,1395.752808,tcp,192.168.0.9,49182,
->,68.39.104.225,3080,PA_PA,0,0,94,6048,6048,
2012/05/25 14:30:37.785205,1396.160522,tcp,68.39.104.225,3080,
->,192.168.0.9,49182,PA_PA,0,0,72,4506,4506,

The directionality is perfect here. But the flags are kind of misleading
right? It looks like there were packets in both directions.


2) Unidirectional and -M nocorrect
argus -F /etc/argus.conf.uni -r test.pcap -w -|ra -n -Z b -r - -F
/etc/ra.conf -M nocorrect

StartTime,Dur,Proto,SrcAddr,Sport,Dir,DstAddr,Dport,State,sTos,dTos,TotPkts,TotBytes,SrcBytes,Label
2012/05/25 12:30:01.862376,3588.532959,tcp,192.168.0.9,49182,
->,68.39.104.225,3080,SPA_,0,,842,51762,51762,
2012/05/25 12:30:02.088594,3588.703857,tcp,192.168.0.9,49182,
->,68.39.104.225,3080,_SPA,,0,692,769670,0,
2012/05/25 13:30:35.414493,3557.665283,tcp,192.168.0.9,49182,
->,68.39.104.225,3080,_PA,,0,165,10092,0,
2012/05/25 13:30:35.416147,3557.273682,tcp,192.168.0.9,49182,
->,68.39.104.225,3080,PA_,0,,206,13180,13180,
2012/05/25 14:30:37.785205,1396.160522,tcp,192.168.0.9,49182,
->,68.39.104.225,3080,_PA,,0,72,4506,0,
2012/05/25 14:30:37.790142,1395.752808,tcp,192.168.0.9,49182,
->,68.39.104.225,3080,PA_,0,,94,6048,6048,

-M nocorrect does not seem to be working for the IP addresses but yes for
the flags.

3) Unidirectional and -M uni
argus -F /etc/argus.conf.uni -r test.pcap -w -|ra -n -Z b -r - -F
/etc/ra.conf -M uni

StartTime,Dur,Proto,SrcAddr,Sport,Dir,DstAddr,Dport,State,sTos,dTos,TotPkts,TotBytes,SrcBytes,Label
2012/05/25 12:30:01.862376,3588.532959,tcp,192.168.0.9,49182,
->,68.39.104.225,3080,SPA_,0,,842,51762,51762,
2012/05/25 12:30:02.088594,3588.703857,tcp,68.39.104.225,3080,
->,192.168.0.9,49182,SPA_,0,,692,769670,769670,
2012/05/25 13:30:35.414493,3557.665283,tcp,68.39.104.225,3080,
->,192.168.0.9,49182,PA_,0,,165,10092,10092,
2012/05/25 13:30:35.416147,3557.273682,tcp,192.168.0.9,49182,
->,68.39.104.225,3080,PA_,0,,206,13180,13180,
2012/05/25 14:30:37.785205,1396.160522,tcp,68.39.104.225,3080,
->,192.168.0.9,49182,PA_,0,,72,4506,4506,
2012/05/25 14:30:37.790142,1395.752808,tcp,192.168.0.9,49182,
->,68.39.104.225,3080,PA_,0,,94,6048,6048,

This looks like the best option. IP addresses are ok and the flags are ok
also.


4) Bidirectional with -M nocorrect
argus -F /etc/argus.conf -r test.pcap -w -|ra -n -Z b -r - -F /etc/ra.conf
-M nocorrect
StartTime,Dur,Proto,SrcAddr,Sport,Dir,DstAddr,Dport,State,sTos,dTos,TotPkts,TotBytes,SrcBytes,Label
2012/05/25 12:30:01.862376,3588.929932,tcp,192.168.0.9,49182,
->,68.39.104.225,3080,SPA_SPA,0,0,1534,821432,51762,
2012/05/25 13:30:35.414493,3557.665283,tcp,192.168.0.9,49182,
->,68.39.104.225,3080,PA_PA,0,0,371,23272,13180,
2012/05/25 14:30:37.785205,1396.160522,tcp,192.168.0.9,49182,
->,68.39.104.225,3080,PA_PA,0,0,166,10554,6048,

This one does not seem to be working.


Also, looking at the code of argus-clients-latest.tar.gz (md5
f9483eb602446c2cc53b919e990bfedf) I see that -M nocorrect is only
implemented in ratop and racluster. Am I correct carter?


Thanks a lot for the great work!
sebas

-- 
https://pgp.mit.edu/pks/lookup?op=get&search=0x9D9A358CA10F1601
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20141216/549b1bdd/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: argus.conf
Type: application/octet-stream
Size: 20579 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20141216/549b1bdd/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: argus.conf.uni
Type: audio/x-mod
Size: 20579 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20141216/549b1bdd/attachment.bin>

More information about the argus mailing list