Application flooding with zero bytes packets...
Peter Van Epp
vanepp at sfu.ca
Thu Apr 5 15:55:21 EDT 2007
On Thu, Apr 05, 2007 at 05:25:53PM +0000, real.melancon at videotron.ca wrote:
> Hello List,This question is not related to Argus specifically. But we have an application flooding a server with zero-bytes packets over a specific TCP port. How would I identify it with Argus ?Thanks.Real.
>
> ____________________________
> R?al Melan?on
I assume you mean 0 payload bytes in the frame (because a 0 byte
frame wouldn't route :-)) and that you don't know the source IP or port number
which is presumably what you want to find. In that case you probably want to
compare the output of "ra -r file" and "ra -r file -A". The
first will give you the size of the entire packet and the second will give you
only the application data layer (which should be 0 in this case). The machine
/ port you want will be the one with a large value in the first instance
(lots of packets but no data). Note this will also catch tcp ack packets
but I'd expect them to be distributed across port numbers and the traffic
of interest should be at the top of the list (lots of packets to one
specific IP port). This trick also works well for assessing packet loss.
In the no loss case the first value should be about %10 higher than the
second, in a high loss situation there will be many more packets / data
in the first case than goodput in the second.
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
More information about the argus
mailing list