ra: window difference ?

Carter Bullard carter at qosient.com
Wed Dec 9 13:40:42 EST 2009


Hey Julien,
What filter(s) are you using to generate your numbers?

Carter

On Nov 29, 2009, at 10:06 AM, julien wrote:

> Hello Carter,
> 
> Carter Bullard wrote on 27/11/09 16:41:
>> Argus will report the last window advertisement seen for the src and dst direction
>> in each status report interval and it will also indicate if the window went to zero
>> during that time.   This zero state is the TCP flow control indicator, and you will
>> see a "S", "D" or "@" indicator in column 5 of the flags field.
> [...]
> 
> thanks a lot for all this details
> 
>> 
>> So, what are you most interested in in this packet trace?  Is there a need to capture
>> more in the TCP windows metric?
> 
> that's not really a problem of capture. More about interpreting different results between Wireshark and Argus from the same data.
> 
> When I speak about IP and Window, I will assume it's the same for everyone but here count/proportions are reversed so ...
> 
> 
>> On Nov 26, 2009, at 3:35 PM, julien wrote:
>>> does someone know the difference between Wireshark "Window Space" (tcp.window_space) and Argus "Window Advertisement" (swin/dwin) ?
>>> 
>>> I'm currently investigating a pcap representing a kind of DoS Synflood attack. The former returns about 25k packets with size 0 a
>>> nd 230k with size<n>, the latter returns 130k&  25k (swin only) ???
>>> 
> 
> Why Wireshark would return 9% of packets with size 0 and the others with 0 (filter with tcp.windows_space == 0 or n)
> and Argus returns 84% of flows with size 0 and the others with size 0 ? (with ra)
> 
> thanks
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20091209/1ec2306c/attachment.bin>


More information about the argus mailing list