FW: Flows not being constructed as expected

Matt Brown via Argus-info argus-info at lists.andrew.cmu.edu
Wed Feb 10 08:23:15 EST 2016 

Dave,

Whoops... very simply:
    argus -B 10.8.6.97 -d -i eth1 -P 561

Alas, my mirrored packets are arriving to eth0 (and the invocation should
be `argus -B 10.8.6.97 -d -i eth0 -P 561`).  *faceplam*


To assist others, I had already started writing the rest of this email, so
here is the realization of the recommended troubleshooting:

...
I've performed the following with success:

tcpdump -w dump.cap -i 1 src host 10.100.100.10 and dst host 8.8.8.8
argus -X -A -Z -R -J -U 2048 -w icmptest.argus -r dump.cap
ra -X -r icmptest.argus - icmp and host 8.8.8.8


[root at argus ~]# ra -X -r icmptest.argus - icmp and host 8.8.8.8
         StartTime      Flgs  Proto            SrcAddr  Sport
Dir            DstAddr  Dport  TotPkts   TotBytes State
   08:02:07.167090  e          icmp         10.100.100.10.0x08
->            8.8.8.8.0x00          2        148   ECO
   08:02:08.173912  e          icmp         10.100.100.10.0x08
->            8.8.8.8.0x00          2        148   ECO
   08:02:09.177659  e          icmp         10.100.100.10.0x08
->            8.8.8.8.0x00          2        148   ECO
   08:02:10.181829  e          icmp         10.100.100.10.0x08
->            8.8.8.8.0x00          2        148   ECO


Thanks for the `-X`.  I assume that I've got something wacky in my
argus.conf or .rarc file.  I copied both out of */support/Config/.. and
actually didn't make any changes.

.rarc (nothing seems interesting as a cause):
  RA_SET_PID="no"
  RA_PID_PATH="/var/run"
  RA_RUN_TIME=0
  RA_PRINT_MAN_RECORDS=yes
  RA_PRINT_EVENT_RECORDS=yes
  RA_GENERATE_BIN_MAR_RECORDS=yes
  RA_PRINT_LABELS=0
  RA_FIELD_SPECIFIER="stime flgs proto saddr sport dir daddr dport spkts
dpkts sbytes dbytes state"
  RA_FIELD_DELIMITER=''
  RA_PRINT_NAMES=port
  RA_ASN_PRINT_FORMAT="asplain"
  RA_PRINT_RESPONSE_DATA=no
  RA_PRINT_UNIX_TIME=no
  RA_TIME_FORMAT="%T.%f"
  RA_USEC_PRECISION=6
  RA_USERDATA_ENCODE=Ascii
  RA_SORT_ALGORITHMS="dpkts spkts saddr dport daddr sport"
  RA_DELEGATED_IP="/usr/local/argus/delegated-ipv4-latest"
  RA_PORT_DIRECTION="services,wellknown"
  RA_LOCAL=/usr/local/argus/local.addrs
  RA_LOCAL_DIRECTION="force:src"

argus.conf (nothing interesting...):
  ARGUS_FLOW_TYPE="Bidirectional"
  ARGUS_FLOW_KEY="CLASSIC_5_TUPLE"
  ARGUS_FLOW_STATUS_INTERVAL=5
  ARGUS_MAR_STATUS_INTERVAL=60

...

I was then going to note my argus and ra invocations when I realized (with
`ps -ef`) that I invoked argus against the wrong interface. *shakes fist at
sky*


Thanks for your time,

Matt





On Tue, Feb 9, 2016 at 6:34 PM, David Edelman via Argus-info <
argus-info at lists.andrew.cmu.edu> wrote:

> Adding the list – For some reason reply to all is not including the list L
>
>
>
> --Dave
>
>
>
> *From:* David Edelman [mailto:dedelman at iname.com]
> *Sent:* Tuesday, February 9, 2016 6:31 PM
> *To:* 'Matt Brown' <matthewbrown at gmail.com>
> *Subject:* RE: [ARGUS] Flows not being constructed as expected
>
>
>
> If you have the packet capture file you can ingest that with argus to
> produce a flow file so that the experiment is repeatable. I have a standard
> set of command line parameters that I use for slurping up pcap files:
>
>   argus –X –A –Z –R –J –U 2048 –w theOutputFileName –r the InputFile.pcap
>
>
>
> It’s probably overkill but the leading –X ensures that there is nothing in
> a configuration file that is eating your lunch (or your ICMP)
>
>
>
> I’d then run the output file through ra using a very vanilla set of
> parameters:
>
>                 ra –X –r theOutputFileName – icmp and host x.y.z.q
>
>
>
> Post the results and we might be able to help
>
>
>
> --Dave
>
>
>
>
>
>
>
>
>
> *From:* Argus-info [
> mailto:argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu
> <argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu>] *On Behalf
> Of *Matt Brown via Argus-info
> *Sent:* Tuesday, February 9, 2016 5:55 PM
> *To:* argus-info at lists.andrew.cmu.edu
> *Subject:* [ARGUS] Flows not being constructed as expected
>
>
>
> Hello all,
>
> I'm using cisco switches to mirror packets by vlan as follows:
>
> monitor session 2 source vlan 1 , 5 - 8 , 10
> monitor session 2 filter packet-type good rx
> monitor session 2 destination interface Gi4/21
>
>
> When comparing output of `tcpdump` with `ra -S 127.0.0.1:561  -- icmp and
> host [my host]`, I do not see flows constructed for pings as expected (or
> at all :) ).
>
> This is the first time I've ingested vlan encapped data into argus and was
> wondering if I need to adjust some additional settings that I may have
> missed?
>
> Thanks,
>
> Matt
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20160210/fe57d12d/attachment.html>

More information about the argus mailing list