Question about byte/packet counts
Peter Van Epp
vanepp at sfu.ca
Wed Jul 24 19:18:13 EDT 2002
Try removing the -A. If there is no traffic back (except acks)
application data may well be 0 (without the A you should see ack traffic back
as well). Other than that the likely answer is different flows in the other
direction for some reason (that is more usually an IPsec problem, but a proxy
might be doing funnies). When all else fails there is also the sniffer and/or
tcpdump to grab whats on the wire and make sure that agrees with argus, bugs
aren't impossible after all :-).
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> No filters on argus, on ra, as shown in my example, I filter in port 8082. However, the symptoms show without a filter as well, as in this example (note that the problems expands from no packet/byte count for dest, to occasional no packet/byte count for source). I suspect I'm just missing something, but what:
> $ ra -zr argus-20020724-17:34:11 -Ac
> 24 Jul 02 17:34:18 tcp x.y.248.19.3492 -> termitee.8080 5 0 711 0 sEf
> 24 Jul 02 17:34:19 tcp x.y.248.19.3499 -> termitee.8080 5 0 713 0 sEf
> 24 Jul 02 17:34:19 tcp termitee.57882 -> fireflye.8082 0 5 0 66 SEf
> 24 Jul 02 17:34:19 tcp termitee.57883 -> bee.8082 0 5 0 66 SEf
> 24 Jul 02 17:34:19 tcp x.y.248.19.3500 -> termitee.8080 5 0 710 0 sEf
> 24 Jul 02 17:34:19 tcp termitee.57884 -> bee.8082 0 5 0 66 SEf
> 24 Jul 02 17:34:19 tcp x.z.240.13.2341 -> termitee.8080 25 0 805 0 sEf
> 24 Jul 02 17:34:19 tcp x.y.248.19.3501 -> termitee.8080 6 0 629 0 sEf
> On 25 Jul 2002 10:23:14 +1200, Russell Fulton <r.fulton at auckland.ac.nz> wrote:
> >On Thu, 2002-07-25 at 10:09, wozz at 0xdeadbeef.org wrote:
> >> As you can see, the only packet/byte counts are for the flow destination. Now, while the destination packet/byte counts should be higher than the source (these are web proxies after all), it shouldn't be infinately so ;)
> >> Any idea whats going on?
> >Hmmm... the byte counts *might* be right if you have used -A
> >(applications bytes) but the packet counts are definitly screwy.
> >What filters and flags were you using on ra and argus. Is it possible
> >that you are filtering out traffic in the other direction?
> >Cheers, Russell.
> -----BEGIN PGP SIGNATURE-----
> Version: Hush 2.1
> Note: This signature can be verified at https://www.hushtools.com
> -----END PGP SIGNATURE-----
More information about the argus