Question on Argus byte counts
Richard Bejtlich
taosecurity at gmail.com
Sun Apr 24 18:54:58 EDT 2005
Hello,
Perhaps someone can answer what is hopefully a dumb question. Here is
an extract from some Argus data I collected last year:
ra -nn -L0 -r 20040831-145316.fedorov.em1.arg
StartTime Flgs Type SrcAddr Sport Dir DstAddr
Dport SrcPkt DstPkt SrcBytes DstBytes State
31 Aug 04 14:53:17 tcp 8.5.153.35.42935 ->
4.10.194.169.445 1 1 62 54 RST
31 Aug 04 14:53:17 tcp 8.5.153.35.42935 ->
4.10.194.169.445 1 1 62 54 RST
31 Aug 04 14:53:22 tcp 8.5.153.35.42814 ->
4.27.181.229.445 1 1 62 54 RST
As I understand it, the SrcBytes and DstBytes should count the size of
the frame, not including the FCS. (I assume Argus doesn't count the
four byte FCS at the end of the frame.) This would make the packets
sent by the source in these three cases each 66 bytes (62 + 4 FCS = 66
bytes). All three are above the Ethernet minimum frame size of 64
bytes, which starts counting at the destination MAC address and ends
with the FCS, inclusive.
I do not understand how the destination address in each of the three
sessions above sent frames that are 54 + 4 FCS = 58 bytes. I have
multiple records like this.
Can anyone explain why this is?
Thank you,
Richard
More information about the argus
mailing list