Argus flow direction

Tue May 9 15:52:34 EDT 2017

Hey Tbh,
racluster.1 does have the ability to ‘correct’ flow records for the direction, and I think that should be the default behavior.  Its possible that the default is being changed (.rarc ??).  Try racluster with the “-M correct” option to see if you can force correction.

There are exceptions for correction, especially when you are processing flow records from different sources.  Do both of these flow records have the same ‘srcid’ ??
Try “-M correct”, if that doesn’t work, generate a data file with these two records in them, and I’ll take a look …

Hope all is most excellent,
Carter

> On May 9, 2017, at 1:29 PM, tbh <tbh1000 at gmail.com> wrote:
> 
> Greetings to the list...
> 
> I'm trying to understand why I'm seeing a second flow with an ambiguous direction for this traffic. Given the saddr, sport, daddr, dport, proto are all the same and the start/last times fit within the first line, I would have thought it would have been considered part of that connection.
> 
> racluster -m saddr sport daddr dport -r argus-eth0.20170307*.gz -s stime ltime proto saddr sport dir daddr dport pkts bytes dur - ipv4 and proto 6 and  net 1.2.3.0/24 <http://1.2.3.0/24> 
> 
>                StartTime                 LastTime                 Proto    SrcAddr  Sport   Dir        DstAddr  Dport  TotPkts   TotBytes     Dur 
> 17-03-07 16:04:56.830048 17-03-07 16:31:07.160901      6     2.3.4.5.64453     ->         1.2.3.32.7610         10       1799  1570.3308*
> 17-03-07 16:26:39.835133 17-03-07 16:26:39.835244      6     1.2.3.32.7610     <?>       2.3.4.5.64453         2        120     0.000111
> 
> Any insight would be appreciated!
> 
> Thanks!
> 
> tbh

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20170509/0c00b068/attachment.html>