Question about byte/packet counts
Carter Bullard
carter at qosient.com
Thu Jul 25 09:08:11 EDT 2002
Hey Wozz,
If we can get some packet traces that demonstrate the
problem, I can definitely look to see whats going on!!!!
Carter
Carter Bullard
QoSient, LLC
300 E. 56th Street
Suite 18K
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax
> -----Original Message-----
> From: wozz+argus at wookie.net [mailto:wozz+argus at wookie.net]
> Sent: Wednesday, July 24, 2002 10:03 PM
> To: Carter Bullard
> Cc: wozz at 0xdeadbeef.org; 'Russell Fulton';
> argus-info at lists.andrew.cmu.edu
> Subject: Re: Re: Question about byte/packet counts
>
>
> On Wed, Jul 24, 2002 at 09:09:30PM -0400, Carter Bullard wrote:
> > Hey Wozz,
> > I'm not really sure what the actual issue is, but
> > I suspect that it's the direction indicator going in
> > one direction but the byte/packets are going in the
> > other.
> >
> > If so, I can explain that. The tcp traffic that
> > is generating this scenario all have SynAck's ('S')
> > without Syn's ('s'). Argus tries to faithfully report
> > who was the originator of the TCP connection, even
> > in the presence of packet loss or assymetric routing,
> > so when it see's SynAck as the first packet, it reverses
> > the source and destination sematics, indicating that
> > the originator of the connection must have been the
> > dst address of this flow. As a result, you'll get the
> > direction arrow, which indicates the initiator/receiver
> > relationship, going in one direction, but the data seems
> > to be going the other way.
> >
> > Is this close to your question?
> >
>
> Except the traffic does have plain old Syn's. The traffic
> looks normal
> with a sniffer. I will demonstrate tomorrow when I'm back in
> the office by
> showing a packet dump along with the resultant argus records.
>
>
More information about the argus
mailing list