How is the flgs field derived?

Carter Bullard via Argus-info argus-info at lists.andrew.cmu.edu
Wed Apr 27 09:24:03 EDT 2016 

Hey Richard,
The 'N' in the argus flgs field indicates that the data originally was derived from Netflow, so that is correct.
Because it originated from Netflow, you have limited attributes and metrics, so no real Argus flags data.  Only TCP flags info will be the Netflow 'OR'd flags, which are correct in your output. "tcp flags = .AP...", so there was an ACK and a PUSH somewhere in the 2 packets that are being reported.

Looks exactly as one would expect from Netflow data.

You should get the ".AP..." in argus's state field with the Z option.
Carter

> 
> 
> 
>> On Apr 27, 2016, at 3:06 AM, Richard Rothwell via Argus-info <argus-info at lists.andrew.cmu.edu> wrote:
>> 
>> Hi Carter,
>> 
>> The GLORIAD software I have inherited is converting all flags fields into “Netflow”.
>> This is because the flags field as sent by rabins contains just “N”.
>> Flags is call just flgs in a netflow record.
>> 
>> The data processing chain I have in place has router(IPFIX) -> nprobe(Netflow9) -> radium (Argus)  -> rabins.
>> I have looked at the output of nprobe and that seems to be OK.
>> I use nfcapd and nfdump together to inspect the output of nprobe.
>> 
>> A record output from nprobe looks like:
>> 
>> Flow Record: 
>>   Flags        =              0x06 FLOW, Unsampled
>>   export sysid =                 1
>>   size         =                72
>>   first        =        1461737035 [2016-04-27 06:03:55]
>>   last         =        1461737035 [2016-04-27 06:03:55]
>>   msec_first   =               304
>>   msec_last    =               304
>>   src addr     =   ***.***.***.***
>>   dst addr     =   ***.***.***.***
>>   src port     =             27878
>>   dst port     =               443
>>   fwd status   =                 0
>>   tcp flags    =              0x18 .AP...
>>   proto        =                 6 TCP  
>>   (src)tos     =                 0
>>   (in)packets  =                 2
>>   (in)bytes    =               193
>>   input        =               824
>>   output       =               644
>>   src as       =             10148
>>   dst as       =             32934
>> 
>> So the question is where have tcp flags gone in the conversion between netflow and Argus records.
>> Is this expected behaviour??
>> 
>> Regards from Richard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20160427/2118370c/attachment.html>

More information about the argus mailing list