ra: window difference ?
julien
julien.t43 at gmail.com
Sun Nov 29 10:06:36 EST 2009
Hello Carter,
Carter Bullard wrote on 27/11/09 16:41:
> Argus will report the last window advertisement seen for the src and dst direction
> in each status report interval and it will also indicate if the window went to zero
> during that time. This zero state is the TCP flow control indicator, and you will
> see a "S", "D" or "@" indicator in column 5 of the flags field.
[...]
thanks a lot for all this details
>
> So, what are you most interested in in this packet trace? Is there a need to capture
> more in the TCP windows metric?
that's not really a problem of capture. More about interpreting
different results between Wireshark and Argus from the same data.
When I speak about IP and Window, I will assume it's the same for
everyone but here count/proportions are reversed so ...
> On Nov 26, 2009, at 3:35 PM, julien wrote:
>> does someone know the difference between Wireshark "Window Space" (tcp.window_space) and Argus "Window Advertisement" (swin/dwin) ?
>>
>> I'm currently investigating a pcap representing a kind of DoS Synflood attack. The former returns about 25k packets with size 0 a
>> nd 230k with size<n>, the latter returns 130k& 25k (swin only) ???
>>
Why Wireshark would return 9% of packets with size 0 and the others with
0 (filter with tcp.windows_space == 0 or n)
and Argus returns 84% of flows with size 0 and the others with size 0 ?
(with ra)
thanks
More information about the argus
mailing list