Help needed to interpret how flows are reported. Probably IPs are being swapped.

el draco eldraco at gmail.com
Fri Jul 17 10:18:12 EDT 2015


Hi Carter. Hope you are fine.

> When you have what you think is a bug, if you can provide packet files,
> flow files, and configuration, so that I can replicate it here.  If I
> can replicate the problem, then I should be able to fix it.
Yes I know, but since the files were sent before, I didn't want to
send them again. I failed to linked them properly maybe. I will fix
that now.

> Yes, your first experiment indicates that the ARGUS_TCP_TIMEOUT variable
> isn’t working, and that is a bug.  I’ve fixed that today, and it behaves
> as we would expect
I'm checking the experiments in this email. Looks like the issue is
not solved yet, can it be?. Not sure if you changed something or not
in the code.
I'm using
f3a58f4a5d618ed90c70f54abe3039d3  argus-latest.tar.gz
f9483eb602446c2cc53b919e990bfedf  argus-clients-latest.tar.gz

I only show you two experiments:
- 1 Experiment (ra)
ARGUS_TCP_TIMEOUT=9999999, ARGUS_FLOW_STATUS_INTERVAL=5
argus -F ./argus.conf -r 2015-04-22_capture-win4.pcap -w
2015-04-22_capture-win4.biargus
ra -n -Z b -r 2015-04-22_capture-win4.biargus -F ./ra.conf - "port
5552 and port 49227" > 2015-04-22_capture-win4.binetflow

The flows are still changing:
1970/01/01 02:10:41.619950,4.335007,tcp,10.0.2.104,49227,
->,147.32.83.57,5552,PA_PA,0,0,6,332,112
1970/01/01 02:14:24.224735,4.880939,tcp,147.32.83.57,5552,
<?>,10.0.2.104,49227,PA_PA,0,0,7,426,254


- 2 Experiment (racluster)
ARGUS_TCP_TIMEOUT=9999999, ARGUS_FLOW_STATUS_INTERVAL=5
argus -F ./argus.conf -r 2015-04-22_capture-win4.pcap -w
2015-04-22_capture-win4.biargus
racluster -n -Z b -r 2015-04-22_capture-win4.biargus -F ./ra.conf -
"port 5552 and port 49227"> 2015-04-22_capture-win4.racluster

The flows are still changing
StartTime,Dur,Proto,SrcAddr,Sport,Dir,DstAddr,Dport,State,sTos,dTos,TotPkts,TotBytes,SrcBytes
1970/01/01 02:14:24.224735,239131.593750,tcp,147.32.83.57,5552,
<?>,10.0.2.104,49227,PA_RPA,0,0,11741,784197,556855
1970/01/01 02:00:17.462571,577733.437500,tcp,10.0.2.104,49227,
->,147.32.83.57,5552,FSPA_FSPA,0,0,3026,470659,296984

Thanks for your time on this.
Sebas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Argus-test.tar.bz2
Type: application/x-bzip2
Size: 4810352 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20150717/3902f5e3/attachment.bin>


More information about the argus mailing list