Help needed to interpret how flows are reported. Probably IPs are being swapped.

el draco eldraco at gmail.com
Sat Jun 20 09:27:44 EDT 2015


Thanks Carter for your help and explanations, I got a better idea now.
However I can't still make it work. I will try to write a shorter
email...

- 1 Experiment (ra)
ARGUS_TCP_TIMEOUT=9999999, ARGUS_FLOW_STATUS_INTERVAL=5
argus -F argus_bi.long.large.conf -r 2015-04-22_capture-win4.pcap -w -
| ra -n -r - -Z b -F ra.conf.analysis - "port 5552 and port
49227"|less
StartTime,Dur,Proto,SrcAddr,Sport,Dir,DstAddr,Dport,State,sTos,dTos,TotPkts,TotBytes,SrcBytes,Label
1970/01/01 02:00:17.462571,0.002098,tcp,10.0.2.104,49227,
->,147.32.83.57,5552,SPA_SA,0,0,7,731,565,
(...~50flows)
1970/01/01 02:10:41.619950,4.335007,tcp,10.0.2.104,49227,
->,147.32.83.57,5552,PA_PA,0,0,6,332,112,
1970/01/01 02:14:24.224735,4.880939,tcp,147.32.83.57,5552,
<?>,10.0.2.104,49227,PA_PA,0,0,7,426,254,     <- Change
(... continues...)

- 2 Experiemnt (racluster)
> As you reported, racluster.1 understands this and merges the flow records together correctly.
Actually racluster does not report them correctly.

ARGUS_TCP_TIMEOUT=9999999, ARGUS_FLOW_STATUS_INTERVAL=5
argus -F argus_bi.long.large.conf -r 2015-04-22_capture-win4.pcap -w -
| racluster -n -r - -Z b -F ra.conf.analysis - "port 5552 and port
49227"
StartTime,Dur,Proto,SrcAddr,Sport,Dir,DstAddr,Dport,State,sTos,dTos,TotPkts,TotBytes,SrcBytes,Label
1970/01/01 02:14:24.224735,239131.593750,tcp,147.32.83.57,5552,
<?>,10.0.2.104,49227,PA_RPA,0,0,11741,784197,556855,
1970/01/01 02:00:17.462571,577733.437500,tcp,10.0.2.104,49227,
->,147.32.83.57,5552,FSPA_FSPA,0,0,3026,470659,296984,


- 3 Experiment (racluster)
ARGUS_TCP_TIMEOUT=9999999, ARGUS_FLOW_STATUS_INTERVAL=3600
argus -F argus_bi.long.large.conf -r 2015-04-22_capture-win4.pcap -w -
| racluster -n -r - -Z b -F ra.conf.analysis - "port 5552 and port
49227"
StartTime,Dur,Proto,SrcAddr,Sport,Dir,DstAddr,Dport,State,sTos,dTos,TotPkts,TotBytes,SrcBytes,Label
1970/01/01 03:21:39.147159,235096.671875,tcp,147.32.83.57,5552,
<?>,10.0.2.104,49227,PA_RPA,0,0,11504,645052,421722,
1970/01/01 02:00:17.462571,577733.437500,tcp,10.0.2.104,49227,
->,147.32.83.57,5552,FSPA_FSPA,0,0,3263,609804,300996,
(also notice here how the start time of the flow was changed)

- 4 Experiment (ra)
ARGUS_TCP_TIMEOUT=9999999, ARGUS_FLOW_STATUS_INTERVAL=3600
argus -F argus_bi.long.large.conf -r 2015-04-22_capture-win4.pcap -w -
| ra -n -r - -Z b -F ra.conf.analysis - "port 5552 and port
49227"|less
StartTime,Dur,Proto,SrcAddr,Sport,Dir,DstAddr,Dport,State,sTos,dTos,TotPkts,TotBytes,SrcBytes,Label
1970/01/01 02:00:17.462571,3451.667480,tcp,10.0.2.104,49227,
->,147.32.83.57,5552,SPA_SPA,0,0,511,174028,19514,
1970/01/01 03:21:39.147159,2338.387939,tcp,147.32.83.57,5552,
<?>,10.0.2.104,49227,PA_PA,0,0,192,10624,7040,

- 5 Experiment (ra)
ARGUS_TCP_TIMEOUT=60, ARGUS_FLOW_STATUS_INTERVAL=3600
argus -F argus_bi.long.large.conf -r 2015-04-22_capture-win4.pcap -w -
| ra -n -r - -Z b -F ra.conf.analysis - "port 5552 and port
49227"|less
StartTime,Dur,Proto,SrcAddr,Sport,Dir,DstAddr,Dport,State,sTos,dTos,TotPkts,TotBytes,SrcBytes,Label
1970/01/01 02:00:17.462571,3451.667480,tcp,10.0.2.104,49227,
->,147.32.83.57,5552,SPA_SPA,0,0,511,174028,19514,
1970/01/01 03:21:39.147159,2338.387939,tcp,147.32.83.57,5552,
<?>,10.0.2.104,49227,PA_PA,0,0,192,10624,7040,

- 6 Experiment (racluster)
ARGUS_TCP_TIMEOUT=60, ARGUS_FLOW_STATUS_INTERVAL=3600
argus -F argus_bi.long.large.conf -r 2015-04-22_capture-win4.pcap -w -
| racluster -n -r - -Z b -F ra.conf.analysis - "port 5552 and port
49227"
StartTime,Dur,Proto,SrcAddr,Sport,Dir,DstAddr,Dport,State,sTos,dTos,TotPkts,TotBytes,SrcBytes,Label
1970/01/01 03:21:39.147159,235096.671875,tcp,147.32.83.57,5552,
<?>,10.0.2.104,49227,PA_RPA,0,0,11504,645052,421722,
1970/01/01 02:00:17.462571,577733.437500,tcp,10.0.2.104,49227,
->,147.32.83.57,5552,FSPA_FSPA,0,0,3263,609804,300996,

- 7 Experiment (ra)
ARGUS_TCP_TIMEOUT=60, ARGUS_FLOW_STATUS_INTERVAL=5
argus -F argus_bi.long.large.conf -r 2015-04-22_capture-win4.pcap -w -
| ra -n -r - -Z b -F ra.conf.analysis - "port 5552 and port
49227"|less
StartTime,Dur,Proto,SrcAddr,Sport,Dir,DstAddr,Dport,State,sTos,dTos,TotPkts,TotBytes,SrcBytes,Label
1970/01/01 02:00:17.462571,0.002098,tcp,10.0.2.104,49227,
->,147.32.83.57,5552,SPA_SA,0,0,7,731,565,
( ~50 flows)
1970/01/01 02:10:41.619950,4.335007,tcp,10.0.2.104,49227,
->,147.32.83.57,5552,PA_PA,0,0,6,332,112,
1970/01/01 02:14:24.224735,4.880939,tcp,147.32.83.57,5552,
<?>,10.0.2.104,49227,PA_PA,0,0,7,426,254,
(continue)

- 8 Experiment (racluster)
ARGUS_TCP_TIMEOUT=60, ARGUS_FLOW_STATUS_INTERVAL=5
argus -F argus_bi.long.large.conf -r 2015-04-22_capture-win4.pcap -w -
| racluster -n -r - -Z b -F ra.conf.analysis - "port 5552 and port
49227"
StartTime,Dur,Proto,SrcAddr,Sport,Dir,DstAddr,Dport,State,sTos,dTos,TotPkts,TotBytes,SrcBytes,Label
1970/01/01 02:14:24.224735,239131.593750,tcp,147.32.83.57,5552,
<?>,10.0.2.104,49227,PA_RPA,0,0,11741,784197,556855,
1970/01/01 02:00:17.462571,577733.437500,tcp,10.0.2.104,49227,
->,147.32.83.57,5552,FSPA_FSPA,0,0,3026,470659,296984,

So far in my experiments ARGUS_TCP_TIMEOUT does not affect the result,
but the status time does.
I would like to use a status time of 5s and racluster.
Thanks again
Sebas


-- 
https://pgp.mit.edu/pks/lookup?op=get&search=0x9D9A358CA10F1601



More information about the argus mailing list