Question on Argus byte counts
Peter Van Epp
vanepp at sfu.ca
Mon Apr 25 11:03:21 EDT 2005
Argus is counting the IP data in the packets (not total frame length).
These will be undersized packets that are padded to meet the minimum ethernet
frame size.
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
On Sun, Apr 24, 2005 at 06:54:58PM -0400, Richard Bejtlich wrote:
> Hello,
>
> Perhaps someone can answer what is hopefully a dumb question. Here is
> an extract from some Argus data I collected last year:
>
> ra -nn -L0 -r 20040831-145316.fedorov.em1.arg
> StartTime Flgs Type SrcAddr Sport Dir DstAddr
> Dport SrcPkt DstPkt SrcBytes DstBytes State
>
> 31 Aug 04 14:53:17 tcp 8.5.153.35.42935 ->
> 4.10.194.169.445 1 1 62 54 RST
> 31 Aug 04 14:53:17 tcp 8.5.153.35.42935 ->
> 4.10.194.169.445 1 1 62 54 RST
> 31 Aug 04 14:53:22 tcp 8.5.153.35.42814 ->
> 4.27.181.229.445 1 1 62 54 RST
>
> As I understand it, the SrcBytes and DstBytes should count the size of
> the frame, not including the FCS. (I assume Argus doesn't count the
> four byte FCS at the end of the frame.) This would make the packets
> sent by the source in these three cases each 66 bytes (62 + 4 FCS = 66
> bytes). All three are above the Ethernet minimum frame size of 64
> bytes, which starts counting at the destination MAC address and ends
> with the FCS, inclusive.
>
> I do not understand how the destination address in each of the three
> sessions above sent frames that are 54 + 4 FCS = 58 bytes. I have
> multiple records like this.
>
> Can anyone explain why this is?
>
> Thank you,
>
> Richard
More information about the argus
mailing list