New support for printing out flow packet size metrics

CS Lee geek00l at gmail.com
Fri Sep 14 09:40:30 EDT 2007


Hi Carter,

Thanks for the explanation, this is really great!!!!

On 9/13/07, Carter Bullard <carter at qosient.com> wrote:
>
> Hey CS,
> Hope all is and will be most excellent.
>
> There are a lot of bells and whistles in the argus-3.0 to support a
> large number of
> specific tasks.  The theme is to be able to contribute to Security,
> Operations and
> Performance management with the same monitor, and to solve some
> fundamentally
> hard problems in the process.
>
> A big function for argus-3.0 is the ability to support multi-probe
> comparisons, where
> you take argus data for the same flow from multiple probes, and
> compare them to
> solve problems.  I do this all the time to provide a wide spectrum of
> tasks.  For
> security, one of the big ones is non-cryptographic Information
> Assurance.  Host
> A sent some traffic to host B, did host B get it?  If A and B are
> running argus, then
> by comparing the records from both machines, you can know if they
> they did or
> not (there are some insider attacks where cryptography doesn't
> provide this
> level of assurance).  For performance management, I use techniques
> that naturally
> evolve from this way of doing things to analyze, as a simple example,
> complex
> reachability problems (say with NAT) and path integrity issues.
>
> In most cases its hard to say that this argus-3.0 feature supports that
> analytic function, but its easy in the case of packet size reporting.
>
> One of the hardest operational problems to diagnose is MTU discovery
> failure,
> where an end-system sends out packets that are too big for the end-to-
> end path.
> This is going to be a big problem in IPv6 networks which don't
> support fragmentation.
>
> If you have argus data from both ends of the path, you can quickly
> discover that
> the packet loss is an MTU issue, as you can see that the max packet
> sizes are
> different.   Its really difficult to see an MTU problem when the
> condition lasts only
> a few milliseconds at a time, but if you're good, argus can find
> those for you.
>
> There are other reasons to have packet size, say for MPLS traffic
> engineering,  but that is a long discussion.
>
> Best of luck, and stay in touch!!!!
>
> Carter
>
>
>
> On Sep 13, 2007, at 10:52 AM, CS Lee wrote:
>
> > Hi all,
> >
> > I was in the transition period of getting used to my new job
> > without argus deployment and will come back again once I have
> > chance to deploy argus again. Anyway I would like to thank to
> > Carter, Peter and the rest to put so much efforts to fix the
> > problem. Guess my former company would be happy with argus with
> > much improvements.
> >
> > Anyway reading the mail threads keep me updating on what's
> > available in argus world, and Carter has mentioned the new support
> > for printing out flow packet size metrics, may I know what's the
> > use of it and what it really means.
> >
> > Hope to back on track soon, cheers.
> >
> > Thanks.
> >
> > --
> > Best Regards,
> >
> > CS Lee<geekooL[at]gmail.com>
>



-- 
Best Regards,

CS Lee<geekooL[at]gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20070914/5f96dca7/attachment.html>


More information about the argus mailing list