Field "state" from Argus (ra)

Drew Dixon dwdixon at umich.edu
Thu May 10 12:37:29 EDT 2018 

I would also be interested in more information on understanding the default
state field values, however FWIW I've been using the -Zb option to display
the state field values, I've preferred that option as I didn't really
intuitively understand the default state values all that well:

-Z <s|d|b> Modify status field to represent *actual TCP flag values*.
<'s'rc | 'd'st | 'b'oth>.  I've always used the "both" option (-Zb) when
using this flag.  I've noticed even when using -Zb some flows may show
"REQ" in the State field, this is typically shown for UDP flows in our
experiences, however this is contrary to the ra man page documentation (see
REQ|INT section below) for UDP flows I still see "REQ" for almost all udp
flows rather than "INT" as it states in the man page (and below).   The
characters that can be present in the status field when this is enabled are:

             'F' - Fin
             'S' - Syn
             'R' - Reset
             'P' - Push
             'A' - Ack
             'U' - Urgent Pointer
             '7' - Undefined 7th bit set
             '8' - Undefined 8th bit set

According to the man page this is what REQ means:

REQ|INT (requested|initial)
This indicates that this is the initial state report for a transaction and
is seen only when the argus-server is in DETAIL mode.  For TCP connections
this is REQ, indicating that a connection is being requested.  *For the
connectionless protocols, such as UDP, this is INT. (this has not been the
case for me)*

I've also noticed when using the -Zb flag there are some seemingly random
underscore's in the state field which I do not understand and would also be
interested in better understanding, for example "FSPA_" or "SPA_" or
"SRPA_" ...I never really understood what the underscores were all about?

Thank you,

-Drew

On Thu, May 10, 2018 at 11:38 AM, Mauricio Reis <reismc at gmail.com> wrote:

>
> I'm working on the binetflow extension files available on the CTU-13 site (
>> link
>> <https://mcfp.weebly.com/the-ctu-13-dataset-a-labeled-dataset-with-botnet-normal-and-background-traffic.html>),
>> which was generated by Argus with the "ra" option according to what I was
>> able to verify (see link <http://dx.doi.org/10.1016/j.cose.2014.05.011>).
>>
>> I'd like to understand the values of the "state" field. The documentation
>> I accessed (link <http://qosient.com/argus/man/man1/ra.1.pdf>) describes
>> only some of the values I found (for example: ECO, ECR, IRQ, IRR, MAS, MHR,
>> MRQ, MSR, NNA, NNS, NRA, NRS, PAR, PTB, RED, RTA, RTS, SRC, TSR, TST, TXD,
>> URCUT, URF, URFIL, URH, URHPRO, URHTOS, URHU, URISO, URN, URNPRO, URNTOS,
>> URNU, URP, URPRE, URS). But I could not understand the meaning of values
>> like: FRPA, FSRAEC, RPA, SRA, etc - and combinations like: A_FRA,
>> FSRPAEC_FSRPA, RPA_SA, SPAC_FSRPA.
>>
>> Would you help me?
>>
>> Att.,
>> Mauricio Reis
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20180510/f1274ba7/attachment.html>

More information about the argus mailing list