Field "state" from Argus (ra)

John Gerth gerth at graphics.stanford.edu
Thu May 10 16:58:11 EDT 2018


With regards to -Zb and TCP, the _ separates the flags seen for src packets from those seen for dst.  For both, it's the logical OR of flags seen in
this flow reporting interval for that direction.

Many of the other states, e.g. ECO, URH, TXD are for ICMP flows

In general, the default state values for TCP and UDP, I feel are intended to convey a generic summary for this reporting interval.  Argus does a
pretty good job of synthesizing these, but, especially for UDP, this can't be perfect as there's no guarantee that argus saw the stream from
end-to-end. For the specific case of UDP, I also see both REQ and INT values.  In either case it seems to denote only src packets for this interval.

On 5/10/18 6:37 AM, Drew Dixon wrote:
> I would also be interested in more information on understanding the default state field values, however FWIW I've been using the -Zb option to
> display the state field values, I've preferred that option as I didn't really intuitively understand the default state values all that well:
>
> -Z <s|d|b> Modify status field to represent /actual TCP flag values/. <'s'rc | 'd'st | 'b'oth>.  I've always used the "both" option (-Zb) when using
> this flag.  I've noticed even when using -Zb some flows may show "REQ" in the State field, this is typically shown for UDP flows in our experiences,
> however this is contrary to the ra man page documentation (see REQ|INT section below) for UDP flows I still see "REQ" for almost all udp flows
> rather than "INT" as it states in the man page (and below).   The characters that can be present in the status field when this is enabled are:
>
>              'F' - Fin
>              'S' - Syn
>              'R' - Reset
>              'P' - Push
>              'A' - Ack
>              'U' - Urgent Pointer
>              '7' - Undefined 7th bit set
>              '8' - Undefined 8th bit set
>
> According to the man page this is what REQ means:
>
> REQ|INT (requested|initial)
> This indicates that this is the initial state report for a transaction and is seen only when the argus-server is in DETAIL mode.  For TCP
> connections this is REQ, indicating that a connection is being requested.  /For the connectionless protocols, such as UDP, this is INT. (this has
> not been the case for me)/
>
> I've also noticed when using the -Zb flag there are some seemingly random underscore's in the state field which I do not understand and would also
> be interested in better understanding, for example "FSPA_" or "SPA_" or "SRPA_" ...I never really understood what the underscores were all about?
>
> Thank you,
>
> -Drew
>
> On Thu, May 10, 2018 at 11:38 AM, Mauricio Reis <reismc at gmail.com <mailto:reismc at gmail.com>> wrote:
>
>
>         I'm working on the binetflow extension files available on the CTU-13 site (link
>         <https://mcfp.weebly.com/the-ctu-13-dataset-a-labeled-dataset-with-botnet-normal-and-background-traffic.html>), which was generated by Argus
>         with the "ra" option according to what I was able to verify (see link <http://dx.doi.org/10.1016/j.cose.2014.05.011>).
>
>         I'd like to understand the values of the "state" field. The documentation I accessed (link <http://qosient.com/argus/man/man1/ra.1.pdf>)
>         describes only some of the values I found (for example: ECO, ECR, IRQ, IRR, MAS, MHR, MRQ, MSR, NNA, NNS, NRA, NRS, PAR, PTB, RED, RTA, RTS,
>         SRC, TSR, TST, TXD, URCUT, URF, URFIL, URH, URHPRO, URHTOS, URHU, URISO, URN, URNPRO, URNTOS, URNU, URP, URPRE, URS). But I could not
>         understand the meaning of values like: FRPA, FSRAEC, RPA, SRA, etc - and combinations like: A_FRA, FSRPAEC_FSRPA, RPA_SA, SPAC_FSRPA.
>
>         Would you help me?
>
>         Att.,
>         Mauricio Reis
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20180510/99c8d08e/attachment.html>


More information about the argus mailing list