Question about byte/packet counts
wozz+argus at wookie.net
wozz+argus at wookie.net
Wed Jul 24 22:03:02 EDT 2002
On Wed, Jul 24, 2002 at 09:09:30PM -0400, Carter Bullard wrote:
> Hey Wozz,
> I'm not really sure what the actual issue is, but
> I suspect that it's the direction indicator going in
> one direction but the byte/packets are going in the
> other.
>
> If so, I can explain that. The tcp traffic that
> is generating this scenario all have SynAck's ('S')
> without Syn's ('s'). Argus tries to faithfully report
> who was the originator of the TCP connection, even
> in the presence of packet loss or assymetric routing,
> so when it see's SynAck as the first packet, it reverses
> the source and destination sematics, indicating that
> the originator of the connection must have been the
> dst address of this flow. As a result, you'll get the
> direction arrow, which indicates the initiator/receiver
> relationship, going in one direction, but the data seems
> to be going the other way.
>
> Is this close to your question?
>
Except the traffic does have plain old Syn's. The traffic looks normal
with a sniffer. I will demonstrate tomorrow when I'm back in the office by
showing a packet dump along with the resultant argus records.
More information about the argus
mailing list