Does argus record the IP ID field?
Carter Bullard
carter at qosient.com
Thu Apr 26 10:57:54 EDT 2001
Hey Russell,
For all IP flows we track the ip_id, but we only report it
currently for some ICMP flows and fragmentOnly flows.
Adding it is not a problem at all. There is a place for
one ip_id in the basic IP flow descriptor. But that would
be only one ip_id. In this case we could report the last src
or dst ip_id or just the last ip_id seen on the flow, (either
src or dst).
If you want the ip_id for both directions, I only have
to make a small change to the FlowAttributes data structure.
This will generate a version issue, but I can handle that
without any trouble. In this case would you want the
last ip_id seen or the first one seen for the period?
Carter
Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York 10022
carter at qosient.com
Phone +1 212 588-9133
Fax +1 212 588-9134
http://qosient.com
> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu
> [mailto:owner-argus-info at lists.andrew.cmu.edu]On Behalf Of Russell
> Fulton
> Sent: Wednesday, April 25, 2001 9:16 PM
> To: Argus (E-mail)
> Subject: Does argus record the IP ID field?
>
>
> Subject says it all. I am tracking some weird traffic, one of the
> characteristics is that all packets from several different
> sources have
> the same IP ID. I have been capturing samples using tcpdump and I am
> now going back through my archived data to see when this started.
> Having the ID would help positively identify the traffic.
>
> Cheers, Russell
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20010426/d5ecb6cf/attachment.html>
More information about the argus
mailing list