[PATCH] TcpRtt support in ragraph

Tomoyuki Sakurai cherry at trombik.org
Mon Aug 25 21:12:23 EDT 2008 

On Mon, Aug 25, 2008 at 07:36:17PM -0400, Carter Bullard wrote:
> 
> Hi,
> TcpRtt is actually calculated as the complete round trip time
> measured as the syn->synack times "+" the synack->ack time.
> Even if argus is in the middle, you will get a full roundtrip time
> calculated, but you have to see all three packets in order
> to calculate the metric.  Its possible that you have asymmetric
> paths for the TCP data?

No, the path is symmetric and argus sees complete TCP stream. But your
suggestion made me think again and I understood why. In short, argus is
right, it was pf on OpenBSD router that made TCP handshakes.

> Because the TcpRtt is the sum of two other metrics, you can
> print the two components and the totals to see where its messing up.
> 
>     ra -r file -s +synack +ackdat +tcprtt - tcp

"ra $OPTIONS - tcp and not src net $MYNET" shows:

Proto sCo   Dir dCo State  SynAck(Sec)  AckDat(Sec)  TcpRtt(Sec)
  tcp  JP    ->  JP  sSEf     0.000169     0.000097     0.000266
  tcp  US    ->  JP sSEfF     0.000143     0.000101     0.000244
  tcp  CN    ->  JP sSEfF     0.000233     0.000098     0.000331
  tcp  RU    ->  JP sSEfF     0.000165     0.000098     0.000263
  tcp  KH    ->  JP sSEfF     0.000236     0.000105     0.000341
  tcp  GB    ->  JP sSEfF     0.000122     0.000100     0.000222
  tcp  DE    ->  JP   sSE     0.000255     0.000102     0.000357
  tcp  SG    ->  JP  sSEf     0.000155     0.000102     0.000257
  tcp  TH    ->  JP sSEfF     0.000131     0.000101     0.000232
  tcp  MY    ->  JP sSEfF     0.000133     0.000104     0.000237

These would be impressive RTTs if they were real :)

I had "pass ... synproxy state" in pf.conf. That means pf was proxying
initial TCP handshake for the client and then argus saw the packets.
After disabling synproxy keyword, argus sees unmodified TCP handshake.

Proto sCo   Dir dCo State  SynAck(Sec)  AckDat(Sec)  TcpRtt(Sec)
  tcp  US    ->  JP  sSEf     0.000279     0.142032     0.142311
  tcp  JP    ->  JP  sSEf     0.000216     0.119915     0.120131
  tcp  JP    ->  JP  sSEf     0.000246     0.119765     0.120011
  tcp  US    ->  JP sSEfF     0.000158     0.203272     0.203430
  tcp  JP    ->  JP sSEfF     0.000253     0.045925     0.046178
  tcp  TH    ->  JP sSEfF     0.000134     0.183594     0.183728
  tcp  EU    ->  JP sSEfF     0.000224     0.281545     0.281769
  tcp  JP    ->  JP sSEfF     0.000208     0.018305     0.018513

Now that the result is reasonable.

If you are using synproxy, place the argus where unmodified packets can
be seen, like in front of OpenBSD host. You'll still miss RTT between
the OpenBSD router and dst host, but in most cases, it wouldn't be a
problem since the missed RTT would be a few msec.

Sorry for the noise.

-- 
Tomoyuki Sakurai

More information about the argus mailing list