Question about byte/packet counts
Carter Bullard
carter at qosient.com
Wed Jul 24 21:09:30 EDT 2002
Hey Wozz,
I'm not really sure what the actual issue is, but
I suspect that it's the direction indicator going in
one direction but the byte/packets are going in the
other.
If so, I can explain that. The tcp traffic that
is generating this scenario all have SynAck's ('S')
without Syn's ('s'). Argus tries to faithfully report
who was the originator of the TCP connection, even
in the presence of packet loss or assymetric routing,
so when it see's SynAck as the first packet, it reverses
the source and destination sematics, indicating that
the originator of the connection must have been the
dst address of this flow. As a result, you'll get the
direction arrow, which indicates the initiator/receiver
relationship, going in one direction, but the data seems
to be going the other way.
Is this close to your question?
Carter
Carter Bullard
QoSient, LLC
300 E. 56th Street
Suite 18K
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax
> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of
> wozz at 0xdeadbeef.org
> Sent: Wednesday, July 24, 2002 7:03 PM
> To: Russell Fulton
> Cc: argus-info at lists.andrew.cmu.edu
> Subject: Re: Re: Question about byte/packet counts
>
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> No filters on argus, on ra, as shown in my example, I filter
> in port 8082. However, the symptoms show without a filter as
> well, as in this example (note that the problems expands from
> no packet/byte count for dest, to occasional no packet/byte
> count for source). I suspect I'm just missing something, but what:
>
> $ ra -zr argus-20020724-17:34:11 -Ac
> 24 Jul 02 17:34:18 tcp x.y.248.19.3492 ->
> termitee.8080 5 0 711 0
> sEf
> 24 Jul 02 17:34:19 tcp x.y.248.19.3499 ->
> termitee.8080 5 0 713 0
> sEf
> 24 Jul 02 17:34:19 tcp termitee.57882 ->
> fireflye.8082 0 5 0
> 66 SEf
> 24 Jul 02 17:34:19 tcp termitee.57883 ->
> bee.8082 0 5 0
> 66 SEf
> 24 Jul 02 17:34:19 tcp x.y.248.19.3500 ->
> termitee.8080 5 0 710 0
> sEf
> 24 Jul 02 17:34:19 tcp termitee.57884 ->
> bee.8082 0 5 0
> 66 SEf
> 24 Jul 02 17:34:19 tcp x.z.240.13.2341 ->
> termitee.8080 25 0 805 0
> sEf
> 24 Jul 02 17:34:19 tcp x.y.248.19.3501 ->
> termitee.8080 6 0 629 0
> sEf
>
> On 25 Jul 2002 10:23:14 +1200, Russell Fulton
> <r.fulton at auckland.ac.nz> wrote:
> >On Thu, 2002-07-25 at 10:09, wozz at 0xdeadbeef.org wrote:
> >>>
> >> As you can see, the only packet/byte counts are for the
> flow destination. Now, while the destination packet/byte
> counts should be higher than the source (these are web
> proxies after all), it shouldn't be infinately so ;)
> >>
> >> Any idea whats going on?
> >>
> >
> >Hmmm... the byte counts *might* be right if you have used -A
> >(applications bytes) but the packet counts are definitly screwy.
> >
> >What filters and flags were you using on ra and argus. Is
> it possible
> >that you are filtering out traffic in the other direction?
> >
> >Cheers, Russell.
> >
> >
> >
>
> -----BEGIN PGP SIGNATURE-----
> Version: Hush 2.1
> Note: This signature can be verified at https://www.hushtools.com
>
> wlsEARECABsFAj0/MoIUHHdvenpAMHhkZWFkYmVlZi5vcmcACgkQ1vK8vFo3sjwbrgCg
> paFfU+mUL2OKAYanQrQ+CDcXFdAAoKVMjgIpPIMw/C7QlYr5ikvrZuGc
> =5wxW
> -----END PGP SIGNATURE-----
>
>
>
More information about the argus
mailing list