concept of flow in Argus

Carter Bullard carter at qosient.com
Tue Dec 23 11:12:24 EST 2014 

Hey Rahimeh,
The wikipedia article 'Traffic flow (computer networking)' is overly simple, and could be improved.

Neither RFC 2722, 3697 nor 3917 provide reasonable definitions of traffic flow. Traffic flows don’t have to be uni-directional, they don’t have to be originated/labeled by a specific source, i.e. aggregate flows between CIDR addresses, nor are flows just related to network activity at the transport level (TCP/UCP) or the network level (IP), as you can have flows within and across any level of the OSI stack.  

For some private networks, where destination addresses are not host identifiers, but rather anycast identifiers for services, or where addresses are abstract GUID’s used for large distributed index systems, flows are really a constraint imposed by the equipment that processes the traffic.  The entire SDN (software defined network) effort is designed to give you the ability to extended the concept of network flow to whatever you need it to be, to get the job done.

Argus has 14 abstract flow models that it uses to classify packets into flows.  We have 3,4,5,6 and 7-tuple flows for specific protocols, we have flows that include identifiers from many layers of the OSI stack, plus, we have a number of P1/P2 flows, where the packet identifiers (src, dst, proto, ports) are not the same.  P1/P2 flows are critical for tracking multicast request, unicast response flows such as DHCP or ARP as an examples, or for tracking traffic flow status when ICMP packets are generated by the network or the end system.

I don’t think Argus can be wrong, it just has its own way of defining network traffic flow.  But, if its important, you can configure Argus to generate flow data that conforms to any of the RFC definitions of flow.  I, personally haven’t found those definitions to be very helpful, when trying to do something, like catch bad guys, or fix the network.

Hope this is helpful !!!

Carter


> On Dec 22, 2014, at 5:37 PM, Rahimeh Khodadadi <rahimeh.khodadadi at gmail.com> wrote:
> 
> hi, 
> I have a question about a flow generation by Argus.
> In wiki pedia has been written that "All packets with the same source address/port and destination address/port within a time period are considered as one flow."
> 
> on contrary, in Argus, is not it, because of its features such as, sbytes, dbytes, total bytes, it means that flow network in Argus is done in 2 way ???
> 
> Is Argus wrong?
> 
> 
> Thanks in advance,
> Rahimeh

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20141223/8e58cbbf/attachment.bin>

More information about the argus mailing list