argus metric: hops and ttl

Carter Bullard carter at qosient.com
Thu Oct 11 10:18:33 EDT 2007


Hey CS Lee,

shops and dhops are derived from sttl and dttl but they are not the  
same metric.

The sttl and dttl are the time to live fields which are the number of  
hops left in
the packet before they will be discarded.  We report the last ttl  
value and have
a bit indication that it has changed during this reporting status  
interval.

The shops and dhops are an attempt to calculate the number of hops the
packet went through.  So we take the ttl and we subtract it from a  
possible
starting TTL value.  Almost all TCPs use an initial TTL that is a  
power of
2, 64, 128, 256 (corrected to 255).  While there are some OSs that will
use 30 and 60 as an initial TTL value (AIX, HP-UX 3.x, Irix, OSF,  
Stratus,
Ultrix, VMS), not correcting for these discrepancies still generates  
useful
statistical data.

So if the sttl is 243, then the shops will be (255 - 243), 12.

Carter




On Oct 11, 2007, at 1:47 AM, CS Lee wrote:

> Hi Carter,
>
> I figure there are shops, dhops and sttl, dttl in argus metric,  
> just need to confirm both hops and ttl are the same in argus right.  
> Another thing is may I know how you detect and obtain the value of  
> loss( e.g, dup ack, etc) in the flow.
>
> Thanks,
> -- 
> Best Regards,
>
> CS Lee<geekooL[at]gmail.com>
>
> http://geek00l.blogspot.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20071011/d97038e6/attachment.html>


More information about the argus mailing list