ra bug for fragment output?

Carter Bullard carter at qosient.com
Thu Feb 22 19:21:10 EST 2001


Hey Clauss,
   I'm inclined to keep the rtp label in the proto field, for
some stupid reason.  rtp is a special case for streaming video and
audio, including IP Telephony, and I'd like to have some way
of knowing its rtp on the ra output line.  There is nothing in
a traditional 5-tuple flow model that will tell you, so I need
something.

   I've just got to fix the printing of the label, so that its
reliable.

   The extra status field comes from a bit mask.  In your case
Argus's RTP discovery thinks it is or could be an RTP flow.
And you've got ICMP_MAPPED, which means that an ICMP packet was
returned as a part of this flow.  Generally means you got an
unreachable back.

Hope this helps,

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 588-9133
Fax   +1 212 588-9134

> -----Original Message-----
> From: Clauss Strauch [mailto:Clauss_Strauch at aquila.fac.cs.cmu.edu]
> Sent: Thursday, February 22, 2001 3:40 PM
> To: Carter Bullard
> Cc: Argus (E-mail)
> Subject: Re: ra bug for fragment output? 
> 
> 
> 	While I'm at it, I'd also like to say that it's 
> probably a bad idea
> in general to overload the protocol field in ra output.  An 
> example is the
> way UDP traffic is labled "rtp" according to some heuristics. 
>  In the raxml 
> output, there is a separate status field (btw, what does 
> "RTP|ICMP_MAPPED" 
> mean?) for this.  Even if it's a bit late to change this 
> behavior at this
> stage of the release, the man page for ra should be corrected 
> to reflect it.
> 
> 					-- Clauss
> 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20010222/4e3fce98/attachment.html>


More information about the argus mailing list