Help needed to interpret how flows are reported. Probably IPs are being swapped.

Carter Bullard carter at qosient.com
Mon Jun 29 17:05:32 EDT 2015 

Hey Sebas,
Sorry for the delayed response.
I’m not following all the experiments so lets solve some at least some of them.
When you have what you think is a bug, if you can provide packet files,
flow files, and configuration, so that I can replicate it here.  If I
can replicate the problem, then I should be able to fix it.

For experiment #1, I have a packet capture file, but I don’t have the
configuration files for argus or ra.  I’m sure that you’re indicating
them in the email, but I’m having problems figuring out which one is
which.  Regardless, I think I’ve got it.

OK, the problem is that we change the direction of the flow while its ongoing,
because there is a very long idle time and argus forgets about the flow.

Yes, your first experiment indicates that the ARGUS_TCP_TIMEOUT variable
isn’t working, and that is a bug.  I’ve fixed that today, and it behaves
as we would expect, where you don’t forget the TCP connection during
your packet run.  I’ll release this later today or tomorrow.

OK, experiment #2-8.  racluster.1 doesn’t put records back together properly.
I cannot replicate this bug in any combination of your experiments, as it
works as specified on all my machines here using the data you are reporting.
I don’t know what ra.conf.analysis contains so I can’t do what you’re doing,
evidently.  Can you send that ???

OK, to make this a lot easier.  Rather than pipe argus into the client
programs each and every time, create flow files, so we both have the
same starting material.


Carter

> On Jun 20, 2015, at 9:27 AM, el draco <eldraco at gmail.com> wrote:
> 
> Thanks Carter for your help and explanations, I got a better idea now.
> However I can't still make it work. I will try to write a shorter
> email...
> 
> - 1 Experiment (ra)
> ARGUS_TCP_TIMEOUT=9999999, ARGUS_FLOW_STATUS_INTERVAL=5
> argus -F argus_bi.long.large.conf -r 2015-04-22_capture-win4.pcap -w -
> | ra -n -r - -Z b -F ra.conf.analysis - "port 5552 and port
> 49227"|less
> StartTime,Dur,Proto,SrcAddr,Sport,Dir,DstAddr,Dport,State,sTos,dTos,TotPkts,TotBytes,SrcBytes,Label
> 1970/01/01 02:00:17.462571,0.002098,tcp,10.0.2.104,49227,
> ->,147.32.83.57,5552,SPA_SA,0,0,7,731,565,
> (...~50flows)
> 1970/01/01 02:10:41.619950,4.335007,tcp,10.0.2.104,49227,
> ->,147.32.83.57,5552,PA_PA,0,0,6,332,112,
> 1970/01/01 02:14:24.224735,4.880939,tcp,147.32.83.57,5552,
> <?>,10.0.2.104,49227,PA_PA,0,0,7,426,254,     <- Change
> (... continues...)
> 
> - 2 Experiemnt (racluster)
>> As you reported, racluster.1 understands this and merges the flow records together correctly.
> Actually racluster does not report them correctly.
> 
> ARGUS_TCP_TIMEOUT=9999999, ARGUS_FLOW_STATUS_INTERVAL=5
> argus -F argus_bi.long.large.conf -r 2015-04-22_capture-win4.pcap -w -
> | racluster -n -r - -Z b -F ra.conf.analysis - "port 5552 and port
> 49227"
> StartTime,Dur,Proto,SrcAddr,Sport,Dir,DstAddr,Dport,State,sTos,dTos,TotPkts,TotBytes,SrcBytes,Label
> 1970/01/01 02:14:24.224735,239131.593750,tcp,147.32.83.57,5552,
> <?>,10.0.2.104,49227,PA_RPA,0,0,11741,784197,556855,
> 1970/01/01 02:00:17.462571,577733.437500,tcp,10.0.2.104,49227,
> ->,147.32.83.57,5552,FSPA_FSPA,0,0,3026,470659,296984,
> 
> 
> - 3 Experiment (racluster)
> ARGUS_TCP_TIMEOUT=9999999, ARGUS_FLOW_STATUS_INTERVAL=3600
> argus -F argus_bi.long.large.conf -r 2015-04-22_capture-win4.pcap -w -
> | racluster -n -r - -Z b -F ra.conf.analysis - "port 5552 and port
> 49227"
> StartTime,Dur,Proto,SrcAddr,Sport,Dir,DstAddr,Dport,State,sTos,dTos,TotPkts,TotBytes,SrcBytes,Label
> 1970/01/01 03:21:39.147159,235096.671875,tcp,147.32.83.57,5552,
> <?>,10.0.2.104,49227,PA_RPA,0,0,11504,645052,421722,
> 1970/01/01 02:00:17.462571,577733.437500,tcp,10.0.2.104,49227,
> ->,147.32.83.57,5552,FSPA_FSPA,0,0,3263,609804,300996,
> (also notice here how the start time of the flow was changed)
> 
> - 4 Experiment (ra)
> ARGUS_TCP_TIMEOUT=9999999, ARGUS_FLOW_STATUS_INTERVAL=3600
> argus -F argus_bi.long.large.conf -r 2015-04-22_capture-win4.pcap -w -
> | ra -n -r - -Z b -F ra.conf.analysis - "port 5552 and port
> 49227"|less
> StartTime,Dur,Proto,SrcAddr,Sport,Dir,DstAddr,Dport,State,sTos,dTos,TotPkts,TotBytes,SrcBytes,Label
> 1970/01/01 02:00:17.462571,3451.667480,tcp,10.0.2.104,49227,
> ->,147.32.83.57,5552,SPA_SPA,0,0,511,174028,19514,
> 1970/01/01 03:21:39.147159,2338.387939,tcp,147.32.83.57,5552,
> <?>,10.0.2.104,49227,PA_PA,0,0,192,10624,7040,
> 
> - 5 Experiment (ra)
> ARGUS_TCP_TIMEOUT=60, ARGUS_FLOW_STATUS_INTERVAL=3600
> argus -F argus_bi.long.large.conf -r 2015-04-22_capture-win4.pcap -w -
> | ra -n -r - -Z b -F ra.conf.analysis - "port 5552 and port
> 49227"|less
> StartTime,Dur,Proto,SrcAddr,Sport,Dir,DstAddr,Dport,State,sTos,dTos,TotPkts,TotBytes,SrcBytes,Label
> 1970/01/01 02:00:17.462571,3451.667480,tcp,10.0.2.104,49227,
> ->,147.32.83.57,5552,SPA_SPA,0,0,511,174028,19514,
> 1970/01/01 03:21:39.147159,2338.387939,tcp,147.32.83.57,5552,
> <?>,10.0.2.104,49227,PA_PA,0,0,192,10624,7040,
> 
> - 6 Experiment (racluster)
> ARGUS_TCP_TIMEOUT=60, ARGUS_FLOW_STATUS_INTERVAL=3600
> argus -F argus_bi.long.large.conf -r 2015-04-22_capture-win4.pcap -w -
> | racluster -n -r - -Z b -F ra.conf.analysis - "port 5552 and port
> 49227"
> StartTime,Dur,Proto,SrcAddr,Sport,Dir,DstAddr,Dport,State,sTos,dTos,TotPkts,TotBytes,SrcBytes,Label
> 1970/01/01 03:21:39.147159,235096.671875,tcp,147.32.83.57,5552,
> <?>,10.0.2.104,49227,PA_RPA,0,0,11504,645052,421722,
> 1970/01/01 02:00:17.462571,577733.437500,tcp,10.0.2.104,49227,
> ->,147.32.83.57,5552,FSPA_FSPA,0,0,3263,609804,300996,
> 
> - 7 Experiment (ra)
> ARGUS_TCP_TIMEOUT=60, ARGUS_FLOW_STATUS_INTERVAL=5
> argus -F argus_bi.long.large.conf -r 2015-04-22_capture-win4.pcap -w -
> | ra -n -r - -Z b -F ra.conf.analysis - "port 5552 and port
> 49227"|less
> StartTime,Dur,Proto,SrcAddr,Sport,Dir,DstAddr,Dport,State,sTos,dTos,TotPkts,TotBytes,SrcBytes,Label
> 1970/01/01 02:00:17.462571,0.002098,tcp,10.0.2.104,49227,
> ->,147.32.83.57,5552,SPA_SA,0,0,7,731,565,
> ( ~50 flows)
> 1970/01/01 02:10:41.619950,4.335007,tcp,10.0.2.104,49227,
> ->,147.32.83.57,5552,PA_PA,0,0,6,332,112,
> 1970/01/01 02:14:24.224735,4.880939,tcp,147.32.83.57,5552,
> <?>,10.0.2.104,49227,PA_PA,0,0,7,426,254,
> (continue)
> 
> - 8 Experiment (racluster)
> ARGUS_TCP_TIMEOUT=60, ARGUS_FLOW_STATUS_INTERVAL=5
> argus -F argus_bi.long.large.conf -r 2015-04-22_capture-win4.pcap -w -
> | racluster -n -r - -Z b -F ra.conf.analysis - "port 5552 and port
> 49227"
> StartTime,Dur,Proto,SrcAddr,Sport,Dir,DstAddr,Dport,State,sTos,dTos,TotPkts,TotBytes,SrcBytes,Label
> 1970/01/01 02:14:24.224735,239131.593750,tcp,147.32.83.57,5552,
> <?>,10.0.2.104,49227,PA_RPA,0,0,11741,784197,556855,
> 1970/01/01 02:00:17.462571,577733.437500,tcp,10.0.2.104,49227,
> ->,147.32.83.57,5552,FSPA_FSPA,0,0,3026,470659,296984,
> 
> So far in my experiments ARGUS_TCP_TIMEOUT does not affect the result,
> but the status time does.
> I would like to use a status time of 5s and racluster.
> Thanks again
> Sebas
> 
> 
> -- 
> https://pgp.mit.edu/pks/lookup?op=get&search=0x9D9A358CA10F1601
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20150629/68af7dae/attachment.bin>

More information about the argus mailing list