Argus-3.0.8.2 output

Mon Jan 23 09:28:44 EST 2017

Hey Hasanen,
The data looks good to me … what do you think is wrong with the data ???

Just a simple set of statements that may clear things up, argus is a bi-directional flow monitor.  What is considered to be the src and dst of a bi-directional flow is not the same semantic as you would expect from packet dumps.  Bi-directional flow data is accounting for both sides of a packet stream, which is composed of packets where A->B and B->A.  In packet data, both A and B are sources, and A and B are also destinations.  In flow data, the src is the flow initiator, and the dst is the target of the flow.

To best understand how argus is assigning src and dst, you need to know what is argus’s concept of direction.  So print the ‘ dir ‘ field to see what argus thinks the flow direction is.  When the ‘ dir ‘ field has a ‘ ? ‘ in it, argus doesn’t know who started the connection, and so reports the src as the address that sent the first packet observed in the flow.

The logic is, for connection oriented protocols, argus uses the protocol to identify the initiator of the flow (who sent the SYN).  When argus doesn’t see all the packets, it has to quess, based on the protocol, (the dst of the flow is the node that sent the SYN_ACK packet).  This works most of the time, but there are issues with packets that don’t conform to the protocol.  

For connection-less protocols, the initiator is the address that sent the first packet observed.  This also applies when argus doesn’t see the initial handshake, say when you first start reading packets, or if your packet source is not well positioned along the path.

With regard to your data, there would be errors if the reported port associated with the address is wrong. As an example, if in your first line of data, address 85.153.118.24 was actually the telent server.

Hope this is helpful,
Carter

> On Jan 23, 2017, at 5:27 AM, Hasanen Alyasiri via Argus-info <argus-info at lists.andrew.cmu.edu> wrote:
> 
> Hi,
> 
> Best Wishes...
> 
> I am trying to extract the following features (SrcAddr, Sport, DstAddr, Dport and Proto) from pcap file using ra argus, but the port output gives wrong values. Please, could you help with that? I will be grateful.
> 
> Please find below a sample of the output:
> 
> SrcAddr	Sport	DstAddr	Dport	Proto
> 85.153.118.24	39715	150.75.68.63	telnet	tcp
> 85.153.40.80	51304	203.74.89.109	telnet	tcp
> 37.98.222.20	36841	150.75.12.251	telnet	tcp
> 192.37.232.201	https	202.10.167.248	51996	tcp
> 120.227.128.2	http	202.10.167.248	50169	tcp
> 203.74.98.241	ssh	58.230.207.182	27711	tcp
> 203.74.124.110	0x0008	191.56.118.93	0x4f52	icmp
> 203.74.124.110	0x0008	88.238.126.98	0x4f52	icmp
> 157.242.24.222	12959	17.111.211.23	https	tcp
> 181.49.6.231	58155	163.220.237.15	telnet	tcp
> 54.238.51.139	https	163.220.5.130	49807	tcp
> 77.227.180.73	42280	163.220.226.178	7547	tcp
> 13.171.83.25	https	202.133.66.133	36885	tcp
> 106.160.99.50	0x0008	203.74.124.110	0x4f51	icmp
> 70.201.41.135	0x0008	203.74.124.110	0x4f50	icmp
> 37.8.137.186	62440	133.29.143.76	telnet	tcp
> 61.100.104.225	5760	203.74.105.78	ntp	udp
> 156.121.228.134	domain	203.74.105.219	56685	tcp
> 17.3.99.196	http	202.10.167.248	49343	tcp
> 163.220.253.55	57585	199.175.246.161	https	tcp
> 
> 
> Regards...
> 
> Hasanen Alyasiri
> Research Student
> Department of Computer Science
> University of York

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20170123/4d77bc2d/attachment.html>