Basic question regarding how flows are build.
Carter Bullard
carter at qosient.com
Wed Jan 8 15:53:00 EST 2014
Hey Sebas,
Cool, if you find something interesting, holler !!!
Carter
On Jan 8, 2014, at 3:50 PM, el draco <eldraco at gmail.com> wrote:
> Thanks a lot John and Carter. I totally forgot about the reporting
> status interval!
>
> For the offline analysis of the flows, it is better for me to have a
> very large status interval. Now I have what I was expecting.
>
> Racluster is not an option for my research because my model is using
> the time differences between flows to compute the periodicity of the
> connection. And the times between flows are lost in racluster.
> I know there are inter-packet arrival statistics and at some point I
> though about having inter-flows arrival statistics in racluster,
> however having only the average and mean of these times is not enough
> for me. I'm working on a model that uses all the time differences and
> then it models the behavior of the connection.
>
> Thanks again for your help! Argus is the best tool for this.
> sebas
>
> On Wed, Jan 8, 2014 at 5:13 PM, Carter Bullard <carter at qosient.com> wrote:
>> Hey Sebas,
>> You are generating multiple 5 second status reports for the same flow.
>>
>> You can change the status interval, using the “-S <secs>” option, or
>> you can aggregate the multiple status reports using racluster().
>>
>> argus -r pcap.file -S 60 -w - | ra
>> argus -r pcap.file -w - | racluster
>>
>> If you want infinite interval, just use a very large number for -S.
>>
>> The flow status interval is the basis for argus flow generation,
>> and it provides a deterministic behavior for flow reporting
>> regardless of the flow. It allows the sensor output to be sorted
>> in time, and it removes the requirement that the sensor respond
>> to the state of traffic on the wire (very important) !!!!
>>
>> This strategy also allows you to realize very early that a flow
>> is in the network, and it provides periodic indications of its
>> presence, when you want to build real-time applications around
>> live sensor data. It sure does beat having to wait until a
>> flow is closed to get a report (which could take months).
>>
>> The advantages of getting multiple records per flow far outweighs
>> the shortcomings of trying to cache variable duration flows and
>> report only when they are done, in the sensor.
>>
>> Post processing the sensor output to generate the output you want
>> scales in performance and function. At least that is why it is
>> the way that it is.
>>
>>
>> Carter
>>
>>
>> On Jan 8, 2014, at 9:38 AM, el draco <eldraco at gmail.com> wrote:
>>
>> Hi list, first of all Happy new year to you all!
>>
>> I have been analyzing some botnet traffic lately and I come across a
>> simple question that I was not able to answer myself. Maybe you can
>> help me.
>>
>> I had a simple tcp connection that is encrypted (attached test.pcap).
>> If you look at it with wireshark and you search for Connections, you
>> will see only one connection.
>>
>> Even if you use tools like tcpflow, it will find 2 flows. One for each
>> direction.
>>
>> However, using latest argus 3.0.7.5 and latest argus-clients 3.0.7.18,
>> it will find 15 bidirectional flows:
>>
>> StartTime,Dur,Label,Proto,SrcAddr,Sport,Dir,DstAddr,Dport,State,sTos,dTos,TotPkts,TotBytes
>> 1970/02/16 02:58:09.809464,3.966546,,tcp,10.0.2.106,59540,
>> ->,151.233.138.31,9338,SPA_SPA,0,0,38,24813
>> 1970/02/16 02:58:15.153867,4.980870,,tcp,10.0.2.106,59540,
>> ->,151.233.138.31,9338,A_PA,0,0,19,19458
>> 1970/02/16 02:58:20.469524,4.854012,,tcp,10.0.2.106,59540,
>> ->,151.233.138.31,9338,A_PA,0,0,54,45924
>> 1970/02/16 02:58:25.518589,3.926445,,tcp,10.0.2.106,59540,
>> ->,151.233.138.31,9338,A_PA,0,0,43,33042
>> 1970/02/16 02:58:30.823824,4.604630,,tcp,10.0.2.106,59540,
>> ->,151.233.138.31,9338,A_PA,0,0,53,44886
>> 1970/02/16 02:58:36.259177,4.311461,,tcp,10.0.2.106,59540,
>> ->,151.233.138.31,9338,A_PA,0,0,68,49712
>> 1970/02/16 02:58:41.263806,4.964994,,tcp,10.0.2.106,59540,
>> ->,151.233.138.31,9338,A_PA,0,0,57,44038
>> 1970/02/16 02:58:46.597238,4.228112,,tcp,10.0.2.106,59540,
>> ->,151.233.138.31,9338,A_PA,0,0,77,59454
>> 1970/02/16 02:58:51.967958,3.855925,,tcp,10.0.2.106,59540,
>> ->,151.233.138.31,9338,A_PA,0,0,43,38526
>> 1970/02/16 02:58:57.525492,4.545178,,tcp,10.0.2.106,59540,
>> ->,151.233.138.31,9338,A_PA,0,0,52,45816
>> 1970/02/16 02:59:02.704674,4.825829,,tcp,10.0.2.106,59540,
>> ->,151.233.138.31,9338,A_PA,0,0,87,68846
>> 1970/02/16 02:59:07.732428,4.602490,,tcp,10.0.2.106,59540,
>> ->,151.233.138.31,9338,A_PA,0,0,87,68914
>> 1970/02/16 02:59:12.884814,4.989438,,tcp,10.0.2.106,59540,
>> ->,151.233.138.31,9338,A_PA,0,0,83,67242
>> 1970/02/16 02:59:17.902786,4.494702,,tcp,10.0.2.106,59540,
>> ->,151.233.138.31,9338,A_PA,0,0,81,62886
>> 1970/02/16 02:59:23.103462,0.371401,,tcp,10.0.2.106,59540,
>> ->,151.233.138.31,9338,FPA_FA,0,0,6,328
>>
>> Do you know what is happening? Why argus is seeing so many flows here?
>>
>> I'm attaching also both configurations so you can try it. I also tried
>> with default configurations and is the same.
>>
>> What is special in this botnet traffic that is causing this?
>>
>> This was giving me some trouble since I was counting the amount of
>> flows on each connection when I realized this.
>>
>> Thanks in advance!
>> sebas
>> <test.pcap><test.biargus><argus.conf><ra.conf>
>>
>>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140108/dc5c7bad/attachment.sig>
More information about the argus
mailing list