New support for printing out flow packet size metrics

Carter Bullard carter at qosient.com
Thu Sep 13 11:33:55 EDT 2007


Hey CS,
Hope all is and will be most excellent.

There are a lot of bells and whistles in the argus-3.0 to support a  
large number of
specific tasks.  The theme is to be able to contribute to Security,  
Operations and
Performance management with the same monitor, and to solve some  
fundamentally
hard problems in the process.

A big function for argus-3.0 is the ability to support multi-probe  
comparisons, where
you take argus data for the same flow from multiple probes, and  
compare them to
solve problems.  I do this all the time to provide a wide spectrum of  
tasks.  For
security, one of the big ones is non-cryptographic Information  
Assurance.  Host
A sent some traffic to host B, did host B get it?  If A and B are  
running argus, then
by comparing the records from both machines, you can know if they  
they did or
not (there are some insider attacks where cryptography doesn't  
provide this
level of assurance).  For performance management, I use techniques  
that naturally
evolve from this way of doing things to analyze, as a simple example,  
complex
reachability problems (say with NAT) and path integrity issues.

In most cases its hard to say that this argus-3.0 feature supports that
analytic function, but its easy in the case of packet size reporting.

One of the hardest operational problems to diagnose is MTU discovery  
failure,
where an end-system sends out packets that are too big for the end-to- 
end path.
This is going to be a big problem in IPv6 networks which don't  
support fragmentation.

If you have argus data from both ends of the path, you can quickly  
discover that
the packet loss is an MTU issue, as you can see that the max packet  
sizes are
different.   Its really difficult to see an MTU problem when the  
condition lasts only
a few milliseconds at a time, but if you're good, argus can find  
those for you.

There are other reasons to have packet size, say for MPLS traffic
engineering,  but that is a long discussion.

Best of luck, and stay in touch!!!!

Carter



On Sep 13, 2007, at 10:52 AM, CS Lee wrote:

> Hi all,
>
> I was in the transition period of getting used to my new job  
> without argus deployment and will come back again once I have  
> chance to deploy argus again. Anyway I would like to thank to  
> Carter, Peter and the rest to put so much efforts to fix the  
> problem. Guess my former company would be happy with argus with  
> much improvements.
>
> Anyway reading the mail threads keep me updating on what's  
> available in argus world, and Carter has mentioned the new support  
> for printing out flow packet size metrics, may I know what's the  
> use of it and what it really means.
>
> Hope to back on track soon, cheers.
>
> Thanks.
>
> -- 
> Best Regards,
>
> CS Lee<geekooL[at]gmail.com>



More information about the argus mailing list