ra.c question

Carter Bullard carter at qosient.com
Sat Feb 10 08:43:59 EST 2001 

Hey David,
   This "swap" is done for the -A option on the command
line, report application bytes.

   With the tcp we've got two application byte counters.
For the src there is argus->argus_far.src.appbytes and
tcp->ackbytes.  The first is how many bytes were presented
and the second is how many bytes were acknowledged.
The best number is the acknowledged number, which is
referred to as "goodput" the amount of data that was
successful.  The other number is application "throughput"
or load, how much was sent.  So when we have retransmissions,
or packet loss, these two number will probably be different,
unless the packet loss involved TCP control packets, like
an ACK without data.

   Which number we report for the Aflag, is really a matter
of preference for TCP.  We have appbytes for all the other
protocols, but only ackbytes for TCP. 

   The section of code that you sent was from racount.c,
but ra.c uses the appbytes, like all the other routines.
We should make them consistent.

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 588-9133
Fax   +1 212 588-9134

> -----Original Message-----
> From: owner-argus at lists.andrew.cmu.edu
> [mailto:owner-argus at lists.andrew.cmu.edu]On Behalf Of David Brumley
> Sent: Friday, February 09, 2001 7:09 PM
> To: argus at lists.andrew.cmu.edu
> Subject: ra.c question
> 
> 
> Hi,
> I'm a bit unclear in ra.c process_tcp what this logic is for:
>    this_src_bytes = argus->argus_far.src.bytes;
>    this_dst_bytes = argus->argus_far.dst.bytes;
> 
>    if (Aflag && (tcp != NULL)) {
>       this_src_bytes = tcp->src.ackbytes;
>       this_dst_bytes = tcp->dst.ackbytes;
>    }
> 
> does argus_far.dst.bytes not always report the correct number of
> bytes?
> 
> -david
> 
> -- 
> #+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+
> --+#+--+#
> David Brumley - Stanford Computer Security -   dbrumley at 
> Stanford.EDU
> Phone: +1-650-723-2445           WWW: 
> http://www.stanford.edu/~dbrumley
> Fax:   +1-650-725-9121  PGP: finger dbrumley-pgp at 
> sunset.Stanford.EDU
> #+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+
> --+#+--+#
> Life is a whim of several billion cells to be you for a while.
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20010210/0f7c36ae/attachment.html>

More information about the argus mailing list