traceroute flow descriptions

Carter Bullard carter at qosient.com
Fri Jun 23 17:10:20 EDT 2006 

Gentle people,
I was putting together a traceroute packet capture file for the  
repository,
and so I have this capture file, and the argus output, and realized  
that to do
it justice, I needed a readme file to describe what, when, how much,
etc.....

Traceroute is interesting, because it exercises a number of argus
features, and with the right clients, you can track and store path
information for baselining, etc...  Well, in generating the readme, I
realized that I had to describe the packet types and flow types that
are important to traceroute.   Not much in the literature to help in
describing the flows, except maybe the IETF IPPM WG 's stuff on
packet descriptions (Type P, Type P1-P2, etc...).

Well, anyway, I'm working on a flow description scheme, so I can
explain to people how this stuff works, and I've got some examples
I'd like you to comment on.

The notation is by encapsulation layer, which are separated by '.'
so the layers are identified by the protocol, and its parameters, and
optional content proto(param,param)[option].  Here are some examples:

    ip(src address, dst address)[ttl, tos, options]  usually only have 2
    llc(src mac, dst mac)
    mpls(mpls label)[tos,ttl]
    802.11q(vlanid)
    udp(src port, dst port)
    tcp (src port, dst port)[options]
    icmp (src port, dst port, type)[options]

etc.....

Here are the packet types that are involved in traceroute tracking:

    *.ip(A,B).udp(a,b).*  ::  *.ip(B,A).udp(b,a).*
    *.ip(A,B).udp(a,b).*  ::  *.icmp(C,*, TXD)[ip(A,B).udp(a.b)]

A '*' is a widcard encapsulation.   the :: means 'matched with'
and the resulting flow is described as:

       ip(A,B).udp(a,b)


Does this make any sense?  Any discussion/opinions?

Much Thanks!!!!!!!!!!!

Carter

PS Oh yeah, here is some sample output of some traceroute
data that argus will capture, if the traces go by a probe.  The mindur
stat is the most important one, I think.

ra -r traceroute.arg -s startime saddr dir inode sttl avgdur stddev  
mindur maxdur trans
        StartTime              SrcAddr         Dir              Inode  
sTtl     AvgDur     StdDev     MinDur     MaxDur  Trans
05/11/08 10:53:56.687792      207.237.36.98    ->          
10.22.32.1    1   0.006494   0.001986   0.005247   0.010488      6
05/11/08 10:53:56.717143      207.237.36.98    ->      
208.59.211.129    2   0.006371   0.000518   0.005871   0.007371      6
05/11/08 10:53:56.747498      207.237.36.98    ->       
207.172.15.68    3   0.006164   0.000400   0.005497   0.006622      6
05/11/08 10:53:56.777980      207.237.36.98    ->          
4.78.132.5    4   0.005914   0.000258   0.005497   0.006122      6
05/11/08 10:53:56.807836      207.237.36.98    ->          
4.68.97.84    5   0.006352   0.000588   0.005876   0.007496      6
05/11/08 10:53:56.837943      207.237.36.98    ->         
4.68.111.30    6   0.005975   0.000450   0.005496   0.006746      6
05/11/08 10:53:56.868299      207.237.36.98    ->        
152.63.21.82    7   0.006371   0.000379   0.005871   0.006995      6
05/11/08 10:53:56.898780      207.237.36.98    ->        
152.63.68.81    8   0.029025   0.001328   0.027483   0.030607      6
05/11/08 10:53:56.996595      207.237.36.98    ->       
152.63.69.169    9   0.029399   0.001166   0.028356   0.030857      6
05/11/08 10:53:57.097156      207.237.36.98    ->       
65.195.244.54   10   0.043369   0.033349   0.028982   0.111434      6
05/11/08 10:53:57.279043      207.237.36.98    ->          
138.18.1.7   11   0.034855   0.004031   0.032230   0.042850      6
05/11/08 10:53:57.397720      207.237.36.98    ->        
138.18.23.36   12   0.036853   0.004228   0.033356   0.044348      6
05/11/08 10:53:57.513147      207.237.36.98    ->       
134.207.10.73   13   0.036208   0.000798   0.034859   0.037103      6

More information about the argus mailing list