concept of flow in Argus
el draco
eldraco at gmail.com
Mon Dec 22 22:11:12 EST 2014
To complement John's answer it can be added that, besides the
directionality, most flow standards also define a flow using:
- Protocol.
- A timeout for each protocol.
- A flow report time. What argus calls ARGUS_FLOW_STATUS_INTERVAL.
Together with the srcIP, srcport, dstIP and dstport, all these values
impact what you see as an output when flows are generated.
sebas
On Mon, Dec 22, 2014 at 11:14 PM, John Gerth <gerth at graphics.stanford.edu>
wrote:
>
> On 12/22/14 2:37 PM, Rahimeh Khodadadi wrote:
> > hi,
> > I have a question about a flow generation by Argus.
> > In wiki pedia has been written that "All packets with the same source
> address/port and destination address/port within a time period are
> considered as
> > one flow."
> >
> > on contrary, in Argus, is not it, because of its features such as,
> sbytes, dbytes, total bytes, it means that flow network in Argus is done in
> 2 way ???
> >
> > Is Argus wrong?
> >
> >
> > Thanks in advance,
> > Rahimeh
> >
> There isn't a single, standard definition of what constitutes a network
> flow.
> Although some flows, such as broadcasts, only occur in one-direction,
> the vast
> majority of flows are about communication between two entities and so
> information
> is exchanged in both directions. As an analyst, I'm far more interested
> in
> communication than broadcasts so I like to think of flows as
> bi-directional.
>
> Anyway, some flow monitoring systems emit only uni-directional flows.
> When I use
> those, my very first task is to combine them back into bi-directional
> flows for
> analysis. Argus, however, emits bi-directional flow records when it
> observes
> two-way traffic which simplifies my life immensely.
>
> The quote you mention in the English Wikipedia article on network flows:
> http://en.wikipedia.org/wiki/Traffic_flow_%28computer_networking%29
> is followed by this one:
> "Since UDP is uni-directional, it causes one flow. ICMP is
> bi-directional, so it causes two flows."
>
> which reveals that the author defines "flow" as necessarily
> uni-directional and also that the author
> really doesn't understand either UDP or ICMP.
>
> Fortunately, the article's first reference in the footnotes is to Argus.
>
>
>
>
>
>
--
https://pgp.mit.edu/pks/lookup?op=get&search=0x9D9A358CA10F1601
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20141223/61d4982f/attachment.html>
More information about the argus
mailing list