concept of flow in Argus
John Gerth
gerth at graphics.stanford.edu
Mon Dec 22 21:14:59 EST 2014
On 12/22/14 2:37 PM, Rahimeh Khodadadi wrote:
> hi,
> I have a question about a flow generation by Argus.
> In wiki pedia has been written that "All packets with the same source address/port and destination address/port within a time period are considered as
> one flow."
>
> on contrary, in Argus, is not it, because of its features such as, sbytes, dbytes, total bytes, it means that flow network in Argus is done in 2 way ???
>
> Is Argus wrong?
>
>
> Thanks in advance,
> Rahimeh
>
There isn't a single, standard definition of what constitutes a network flow.
Although some flows, such as broadcasts, only occur in one-direction, the vast
majority of flows are about communication between two entities and so information
is exchanged in both directions. As an analyst, I'm far more interested in
communication than broadcasts so I like to think of flows as bi-directional.
Anyway, some flow monitoring systems emit only uni-directional flows. When I use
those, my very first task is to combine them back into bi-directional flows for
analysis. Argus, however, emits bi-directional flow records when it observes
two-way traffic which simplifies my life immensely.
The quote you mention in the English Wikipedia article on network flows:
http://en.wikipedia.org/wiki/Traffic_flow_%28computer_networking%29
is followed by this one:
"Since UDP is uni-directional, it causes one flow. ICMP is bi-directional, so it causes two flows."
which reveals that the author defines "flow" as necessarily uni-directional and also that the author
really doesn't understand either UDP or ICMP.
Fortunately, the article's first reference in the footnotes is to Argus.
More information about the argus
mailing list