Argus flow direction

Carter Bullard carter at qosient.com
Tue May 9 17:58:59 EDT 2017 

Hey Tbh,
Just for sanity sake, I ran this on my Mac OS X Sierra, and got this output using Ra Version 3.0.8.3,

apophis:clients carter$ ../bin/racluster -Xr ~/Desktop/test
        StartTime      Flgs  Proto            SrcAddr  Sport   Dir            DstAddr  Dport  TotPkts   TotBytes State 
  17:26:39.835133  M           tcp           1.2.3.32.7610     <?>            2.3.4.5.64453         2        120   FIN
  17:04:56.830048  M g         tcp            2.3.4.5.64453     ->           1.2.3.32.7610         10       1799   RST

apophis:clients carter$ ../bin/racluster -Xr ~/Desktop/test -M correct
        StartTime      Flgs  Proto            SrcAddr  Sport   Dir            DstAddr  Dport  TotPkts   TotBytes State 
  17:04:56.830048  M g         tcp            2.3.4.5.64453     ->           1.2.3.32.7610         12       1919   RST

So when I used the correct option, I got correct results.  Did you not get this ???  What version of racluster, and what platform ???
Carter


> On May 9, 2017, at 5:00 PM, tbh <tbh1000 at gmail.com> wrote:
> 
> Carter,
> 
> The "-M correct" option didn't fix it. The srcid for both is 0.0.0.0. Perhaps duplicate packets?
> 
> Attached is a file with the data for this traffic. I appreciate you taking the time to take a look!
> 
> tbh
> 
> On Tue, May 9, 2017 at 2:52 PM, Carter Bullard <carter at qosient.com> wrote:
> Hey Tbh,
> racluster.1 does have the ability to ‘correct’ flow records for the direction, and I think that should be the default behavior.  Its possible that the default is being changed (.rarc ??).  Try racluster with the “-M correct” option to see if you can force correction.
> 
> There are exceptions for correction, especially when you are processing flow records from different sources.  Do both of these flow records have the same ‘srcid’ ??
> Try “-M correct”, if that doesn’t work, generate a data file with these two records in them, and I’ll take a look …
> 
> Hope all is most excellent,
> Carter
> 
>> On May 9, 2017, at 1:29 PM, tbh <tbh1000 at gmail.com> wrote:
>> 
>> Greetings to the list...
>> 
>> I'm trying to understand why I'm seeing a second flow with an ambiguous direction for this traffic. Given the saddr, sport, daddr, dport, proto are all the same and the start/last times fit within the first line, I would have thought it would have been considered part of that connection.
>> 
>> racluster -m saddr sport daddr dport -r argus-eth0.20170307*.gz -s stime ltime proto saddr sport dir daddr dport pkts bytes dur - ipv4 and proto 6 and  net 1.2.3.0/24 
>> 
>>               StartTime                 LastTime                 Proto    SrcAddr  Sport   Dir        DstAddr  Dport  TotPkts   TotBytes     Dur 
>> 17-03-07 16:04:56.830048 17-03-07 16:31:07.160901      6     2.3.4.5.64453     ->         1.2.3.32.7610         10       1799  1570.3308*
>> 17-03-07 16:26:39.835133 17-03-07 16:26:39.835244      6     1.2.3.32.7610     <?>       2.3.4.5.64453         2        120     0.000111
>> 
>> Any insight would be appreciated!
>> 
>> Thanks!
>> 
>> tbh
> 
> 
> <test.gz>

More information about the argus mailing list