ra: window difference ?
Carter Bullard
carter at qosient.com
Fri Nov 27 10:41:29 EST 2009
Hey Julien,
Argus will report the last window advertisement seen for the src and dst direction
in each status report interval and it will also indicate if the window went to zero
during that time. This zero state is the TCP flow control indicator, and you will
see a "S", "D" or "@" indicator in column 5 of the flags field.
With larger status reporting intervals, you will have records that account
for more than one packet in a particular direction, and so you will lose some
window information. To see all the values, you can reduce the status reporting
interval in argus-3.0 all the way down to 1 uSec if that is useful ("-S 0.000001"),
We use this in some of the very very high speed work we do. For link speeds
10Gbps and lower, this will basically report on each packet, so maybe "-S 1" or
"-S 0.1" would be good for your analysis.
If you are generating 5 second status records and your records have
more than 1 packet in each direction, the window advertisement in the record
will be the value in the last packet. When you filter, you'll only be able to match
on that last window advertisement that is in the record, so you will get different results
from argus data than from looking at each packet.
So, what are you most interested in in this packet trace? Is there a need to capture
more in the TCP windows metric?
Carter
On Nov 26, 2009, at 3:35 PM, julien wrote:
> Hello everyone,
>
> does someone know the difference between Wireshark "Window Space" (tcp.window_space) and Argus "Window Advertisement" (swin/dwin) ?
>
> I'm currently investigating a pcap representing a kind of DoS Synflood attack. The former returns about 25k packets with size 0 a
> nd 230k with size <n>, the latter returns 130k & 25k (swin only) ???
>
> http://www.faqs.org/rfcs/rfc793.html speaks only about "Window".
>
> I suppose it's probably linked with a difference of treatment as packet or flow but not really sure.
> (tcpdump has about 300k lines and ra returns 250k)
>
> If someone has an explanation, I would be very happy to get it.
>
> Thanks.
> Best regards
>
> Julien
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20091127/938acf8b/attachment.bin>
More information about the argus
mailing list