Does argus record the IP ID field?
Russell Fulton
r.fulton at auckland.ac.nz
Thu Apr 26 17:12:21 EDT 2001
HI Carter,
On Thu, 26 Apr 2001 10:57:54 -0400 Carter Bullard <carter at qosient.com>
wrote:
> Hey Russell,
> For all IP flows we track the ip_id, but we only report it
> currently for some ICMP flows and fragmentOnly flows.
>
> Adding it is not a problem at all. There is a place for
> one ip_id in the basic IP flow descriptor. But that would
> be only one ip_id. In this case we could report the last src
> or dst ip_id or just the last ip_id seen on the flow, (either
> src or dst).
In most cases I can think of where I would be interested in the IP ID
the flows will be single packet flows, often SYNs. So recording the
source IP ID would be adequate for my current needs. If it is recorded
now a patch for raxml to display it would be great!
Thanks!
Russell Fulton, Computer and Network Security Officer
The University of Auckland, New Zealand
More information about the argus
mailing list