 |
Argus Flow Models
Argus is a fixed model Real
Time Flow Monitor that is based on a
collection of flow models. Argus supports Type-P and Type-P1-P2
flow types as described in the IETF
IPPM WG framework. The list
below is ordered by matching precedence. Packets that match the
basic flow identifer are matched to other packets by comparing the
flow identifiers that are listed. Because Argus is a bi-directional
flow
modeler, any identifier that is labeled Src or Dst are swappable
in
the flow matching logic. The identifiers/descriptors for the various
flow models are:
Layer 5
RTP and RTCP (Type-P)
8-tuple:
SrcIPAddr,DstIPAddr,L4Protocol,SrcPort,DstPort,
rh_ver, rh_seq, rh_ssrc
Layer 4
TCP and UDP (Type-P)
5-tuple:
SrcIPAddr,DstIPAddr,L4Protocol,SrcPort,DstPort
ESP (Type-P)
4-tuple:
SrcIPAddr,DstIPAddr,L4Protocol,SPI
ICMP ECHO (Type-P1-P2)
7-tuple:
SrcIPAddr,DstIPAddr,L4P,type,code,id,seq
where the type is either ECHO REQUEST or REPLY.
ICMP INFO TYPE (Type-P1-P2)
5-tuple:
SrcIPAddr,DstIPAddr,L4P,type,code
where the type is either REQUEST or REPLY.
ICMP UNREACHABLE/REDIRECT (Type-P1-P2)
Mapped to any supported
Argus flow type.
6-tuple:
SrcIPAddr,DstIPAddr,L4P,type,code,object
IGMP (Type-P)
4-tuple:
SrcIPAddr,DstIPAddr,L4P,type
Layer 3 (IPv4) (Type-P)
3-tuple:
SrcIPAddr,DstIPAddr,L4Protocol
Fragments (Type-P1-P2)
Mapped to any supported
Argus flow type.
Fragments (Type-P)
4-tuple:
SrcIPAddr,DstIPAddr,L4Protocol,ip_id
Layer 2
LLC SNAP Encapsulation (Type-P)
5-tuple:
SrcMACAddr,DstMACAddr,L3Proto,SrcSAP,DstSAP
ARP (Type-P1-P2)
3-tuple: ARP_SPA,ARP_TPA,EAddr
where the EAddr value is either the SrcMacAddr
of the REQUEST or teh dstMACAddr of the REPLY.
All other traffic: (Type-P)
3-tuple:
SrcMACAddr,DstMACAddr,L3Protocol
This schema provides a comprehensive flow tracking strategy that
accounts for every packet on a traditional LAN.
|
