Under what circumstances will an ICMP flow with state ECO return dbytes of 0?

Chas DiFatta chas at difatta.org
Fri Jan 3 15:35:28 EST 2014 

Hey Matt,

If the destination host has a local FW policy where it drops all responses to ECO then you’ll never see it.  Obviously this is true if a device is protecting it (FW, IPS, SW, LB, NAT, etc.).  The only way that I know to “discover its liveliness” is,

passive:
	- observe it’s behavioral profile for other types of flows (not just ICMP)
		- directly from the node in question
			- you “may” wish to change your observation point closer to the edge of the network
			- if policy permits, begin to look into the user portion of the data for hints about the host in question to at least build a use profile, then begin to track less intrusive methods that you can correlate.
		- indirectly:
			- if you have access to other types of diagnostic information (e.g. such as DNS requests from the nodes pri/sec nameserver) 
			- through your observations you can understand the network behavior and can attribute an anomaly when the host in question is active
				- e.g. this host sends mail on average 4 times/hr
active:
	- don’t just use ICMP but other protocols
	- correlate any active probes with passive responses
	- note: the probes don’t have to come from your administrative domain
	- if you have administrative control of the node in question, create a beacon network request that executes in a deterministic way
		- e.g. the node in question does a http: request to www.google.com/foo every hour at 43+ min.

My two cents...

	…cd

On Jan 3, 2014, at 11:34 AM, Matt Brown <matthewbrown at gmail.com> wrote:

> Hello again,
> 
> I am investigating how to use argus for "node liveliness detection."
> 
> Considering leveraging ra() as:
> 
> ra -S 127.0.0.1:561 -s ltime stime daddr sport sbytes dbytes flgs state - icmp
> 
> I see dbytes can be 0 when the state of a flow is ECO.
> 
> Why would this be?
> 
> 
> I have covered this question thoroughly on the network engineering
> stackexchange: http://networkengineering.stackexchange.com/q/5683
> 
> 
> I think this is my last question for the day!
> 
> 
> Thanks,
> 
> Matt
> 
> 
> 
> Any assistance is appreciated.
> 
> 
> Thanks,
> 
> Matt

More information about the argus mailing list