ra: window difference ?
Carter Bullard
carter at qosient.com
Thu Dec 10 11:36:14 EST 2009
Hey Julien,
In the file you uploaded, 131803 of the flows that are reporting source windows of
zero are flows that are simple single packet flows, so you and I are getting consistent
numbers, so I suspect that your numbers are real.
I can't explain the discrepancy, as I have looked at the code and your sample
file and there shouldn't be a problem. With the numbers switched, you should be
able to find a packet in your file where wireshark thinks there is a window number,
and the resulting argus record reports zero.
If you could create a packet file that has a packet or two that wireshark thinks
has a src window value but argus reports as zero, then I can debug.
Carter
On Dec 9, 2009, at 5:02 PM, julien wrote:
> Carter Bullard wrote on 09/12/09 19:40:
>> What filter(s) are you using to generate your numbers?
>
>
> here for wireshark
>
>>> Why Wireshark would return 9% of packets with size 0 and the others with 0 (filter with tcp.windows_space == 0 or n)
>>> and Argus returns 84% of flows with size 0 and the others with size 0 ? (with ra)
>
> and for argus, I make a chart with data from the following command:
> ra -n -s swin -r $src_log
>
> thanks
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20091210/52b23f21/attachment.bin>
More information about the argus
mailing list