Duration Bug

Fri Aug 7 13:49:27 EDT 2009

On certain flows, mainly ones that have multiple syns or synacks and ones
generally I would filter out, duration isn't being computed correctly.

tcpdump -nnn -r test.pcap
21:02:16.875502 IP X.214.3.6.58159 > Y.138.202.172.80: S
157910143:157910143(0) win 16384 <mss 1460,nop,nop,sackOK>
21:02:16.877334 IP Y.138.202.172.80 > X.214.3.6.58159: S
2257108841:2257108841(0) ack 157910144 win 5840 <mss 1460,nop,nop,sackOK>
21:02:20.957725 IP Y.138.202.172.80 > X.214.3.6.58159: S
2257108841:2257108841(0) ack 157910144 win 5840 <mss 1460,nop,nop,sackOK>
21:02:26.958086 IP Y.138.202.172.80 > X.214.3.6.58159: S
2257108841:2257108841(0) ack 157910144 win 5840 <mss 1460,nop,nop,sackOK>
21:02:38.958952 IP Y.138.202.172.80 > X.214.3.6.58159: S
2257108841:2257108841(0) ack 157910144 win 5840 <mss 1460,nop,nop,sackOK>
21:03:02.968299 IP Y.138.202.172.80 > X.214.3.6.58159: S
2257108841:2257108841(0) ack 157910144 win 5840 <mss 1460,nop,nop,sackOK>
21:03:51.171263 IP Y.138.202.172.80 > X.214.3.6.58159: S
2257108841:2257108841(0) ack 157910144 win 5840 <mss 1460,nop,nop,sackOK>

argus -r test.pcap -w - | ra -r - -s +dur
21:02:16.875502  e d       tcp         67.214.3.6.58159     ->
128.138.202.172.www           7        434   ACC -139806067

Nick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090807/07ccd0ea/attachment.html>