Duration Bug
Carter Bullard
carter at qosient.com
Fri Aug 7 13:58:37 EDT 2009
Hey Nick,
When you have packet or argus data files that demonstrate a bug, could
you
send them along, so I can fix the problem?
Thanks!!!
Carter
On Aug 7, 2009, at 1:49 PM, Nick Diel wrote:
> On certain flows, mainly ones that have multiple syns or synacks and
> ones generally I would filter out, duration isn't being computed
> correctly.
>
> tcpdump -nnn -r test.pcap
> 21:02:16.875502 IP X.214.3.6.58159 > Y.138.202.172.80: S
> 157910143:157910143(0) win 16384 <mss 1460,nop,nop,sackOK>
> 21:02:16.877334 IP Y.138.202.172.80 > X.214.3.6.58159: S
> 2257108841:2257108841(0) ack 157910144 win 5840 <mss
> 1460,nop,nop,sackOK>
> 21:02:20.957725 IP Y.138.202.172.80 > X.214.3.6.58159: S
> 2257108841:2257108841(0) ack 157910144 win 5840 <mss
> 1460,nop,nop,sackOK>
> 21:02:26.958086 IP Y.138.202.172.80 > X.214.3.6.58159: S
> 2257108841:2257108841(0) ack 157910144 win 5840 <mss
> 1460,nop,nop,sackOK>
> 21:02:38.958952 IP Y.138.202.172.80 > X.214.3.6.58159: S
> 2257108841:2257108841(0) ack 157910144 win 5840 <mss
> 1460,nop,nop,sackOK>
> 21:03:02.968299 IP Y.138.202.172.80 > X.214.3.6.58159: S
> 2257108841:2257108841(0) ack 157910144 win 5840 <mss
> 1460,nop,nop,sackOK>
> 21:03:51.171263 IP Y.138.202.172.80 > X.214.3.6.58159: S
> 2257108841:2257108841(0) ack 157910144 win 5840 <mss
> 1460,nop,nop,sackOK>
>
> argus -r test.pcap -w - | ra -r - -s +dur
> 21:02:16.875502 e d tcp 67.214.3.6.58159 ->
> 128.138.202.172.www 7 434 ACC -139806067
>
> Nick
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090807/c8d9d770/attachment.bin>
More information about the argus
mailing list