TCP header fields

Carter Bullard carter at qosient.com
Thu Aug 9 15:59:41 EDT 2007 

Hey Ting-Fang ,
For flow attributes that are generally not a part of the flow key, such
as mac addresses when you're doing classic 5 tuple tracking, you will  
get the
mac addresses seen in the first packet. We do this to minimize copying
of potentially large objects on every packet, and this rule applies  
generally
to encapsulation identifiers, such as addresses, mpls labels, vlan  
tags, etc.

Generally, for metrics we report the value in the last packet  
monitored on
the flow, with a few exceptions.   Some metrics, like stime, are  
specific
for the value in the first packet, and the TCP base sequence number.
But for general attributes, such as ttl, tos, and ip_id, these are all
from the last packet observed.  The ip_id is something that changes on
each packet (except for v4 fragments), so we want to know what the
last value is.  In some cases the ip_id can be used as a pseudo sequence
number, and so getting the last is a good thing.  Changes in ttl and tos
can indicate path changes for a flow, so we want to know the last value
seen.  For values that are generated through an accumulation method,
such as what encapsulations are used on the flow, counters and status
fields, i.e. TCP flags values where we OR the flag values into the  
reported
value, the value represents all observed until the last packet seen.

The few exceptions to the last packet seen rule, is the TCP window size
which is not updated from RST or FIN packets, as these usually have
zero as the window value.  Reporting that value is pretty useless.  So
for window, you should see the last valid number in during the  
observation period.

There are quite a number of sequence numbers for TCP, base, last obs,  
last
ack'd, etc.. so the base seq number that argus tracks comes from the  
first packet
seen in a reporting interval, and others are generally the last value  
seen.

May seem complicated but it gets the semantics that are useful for a  
set of
problems.  If you seen something that seems odd, don't hesitate to  
discuss it
in email.

Carter



Ting-Fang Yen wrote:
> Hi,
>
> Since Argus produces flow records, I am wondering how the TCP header
> fields, such as TTL, window size, sequence number, etc, are
> determined. Is it set according to the first packet in the flow?
>
> Thanks,
> Ting-Fang
>
>

More information about the argus mailing list