how to aggregate multiple similar tcp flows?

Christoph Badura bad at bsd.de
Thu Mar 1 18:39:06 EST 2007 

So, I'm trying to use racluster to aggregate multiple similar TCP flows.

$ racluster -n -s +sloss +dloss -r trace.argus dst port 22
...
   14:27:04.225239    d        tcp      1.2.3.4.38501     ->        4.3.2.1.22         3776     7319       257536     11002749   FIN          0          1
   14:27:24.618657             tcp      1.2.3.4.38586     ->        4.3.2.1.22         3770     7324       257224     11001631   FIN          0          0
   14:27:43.040418             tcp      1.2.3.4.38588     ->        4.3.2.1.22         3767     7321       256834     11001433   FIN          0          0
   14:28:26.545754    d        tcp      1.2.3.4.38615     ->        4.3.2.1.22         7508     3841     11195264       262685   FIN          0          1
...

So clearly we have some packet loss.

$ racluster -n -s +sloss +dloss -r trace7s.argus -m saddr daddr dport - dst port 22
   14:25:35.871261              ip      1.2.3.4          <->        4.3.2.1           71124    85030     57813728    100321378   CON          0          0
$ racluster -n -s +sloss +dloss -r trace7s.argus -m saddr daddr dport - tcp and dst port 22
   14:25:35.871261              ip      1.2.3.4          <->        4.3.2.1           71124    85030     57813728    100321378   CON          0          0
$ racluster -n -s +sloss +dloss -r trace7s.argus -m saddr daddr dport - 
   14:25:35.871261              ip      1.2.3.4          <->        4.3.2.1           71124    85030     57813728    100321378   CON          0          0
$ 

So it doesn't want to treat the aggregated records as TCP flows, I think.
Why wouldn't it, though?  I told it that only sadd, daddr and dport matter
and they are the same for these aggregation objects in all records in the
trace.

Hmm...

$ racluster -n -s +sloss +dloss -r trace7s.argus -m saddr daddr dport proto -
   14:25:35.871261    d        tcp      1.2.3.4.0         ->        4.3.2.1.22        71124    85030     57813728    100321378   FIN          0          2
$ 

OK, so I need to tell it that it should also look at the transaction protocol.
That was not obvious to me.

I guess I was hoping for smarter behaviour, too. What I would love to have
is a mode where it would go and aggregate similar flows together by itself:
UDP and TCP flows separate.  Flows with high loss rate separate from ones with
low loss rate.  High response time and low response time.  And report them
in a way that I can see if there is a pattern determined by source and/or
destination address ranges.

--chris

More information about the argus mailing list