Printing TCP Options?

Carter Bullard carter at qosient.com
Fri Oct 7 13:25:47 EDT 2011 

Hey Nikki,
Since I hadn't shifted the "tcpopt" field into argus-clients-3.x, we can specify its output now if you don't like what is now there.
Currently, it is implemented like the "flgs" field, a fixed length string with single characters used to indicate the state for a particular value.

We have 12 TCP options that we need to convey from our TCP options bitmap, so the field is 12 characters long, with spaces used for placement.  A unique character is used to specify that a specific option is on.  Here is the current format:

ARGUS_TCP_MAXSEG:    option[0]  = 'M'
ARGUS_TCP_WSCALE:    option[1]  = 'w'
ARGUS_TCP_SACKOK:    option[2]  = 's'
ARGUS_TCP_SACK:      option[3]  = 'S'
ARGUS_TCP_ECHO:      option[4]  = 'e'
ARGUS_TCP_ECHOREPLY: option[5]  = 'E'
ARGUS_TCP_TIMESTAMP: option[6]  = 'T'
ARGUS_TCP_CC:        option[7]  = 'c'
ARGUS_TCP_CCNEW:     option[8]  = 'N'
ARGUS_TCP_CCECHO:    option[9]  = 'O'
ARGUS_TCP_SRC_ECN:   option[10] = 'S'
ARGUS_TCP_DST_ECN:   option[11] = 'D'

And here is how it looks with the various ra.1 printing options, space filled, character delimited, and XML:

../bin/ra -r /tmp/argus.out -s stime dur proto tcpopt     
                 StartTime        Dur  Proto       TcpOpt 
2011/10/03.11:03:27.407610   4.820016    tcp Mws   T
2011/10/03.11:03:32.657344   4.855263    tcp Mws   T
2011/10/03.11:03:34.899137   0.000719    udp
2011/10/03.11:03:34.900225   0.106366    tcp Mws   T
2011/10/03.11:03:35.002305   0.984422    udp
2011/10/03.11:03:35.002495   1.107643    udp
2011/10/03.11:03:35.002775   0.078968    udp
2011/10/03.11:03:35.003062   0.111157    udp
2011/10/03.11:03:35.003292   0.000000    arp
2011/10/03.11:03:36.004261   0.062153    udp


../bin/ra -r /tmp/argus.out -s stime dur proto tcpopt -c ,
StartTime,Dur,Proto,TcpOpt
2011/10/03.11:03:27.407610,4.820016,tcp,Mws   T
2011/10/03.11:03:32.657344,4.855263,tcp,Mws   T
2011/10/03.11:03:34.899137,0.000719,udp,
2011/10/03.11:03:34.900225,0.106366,tcp,Mws   T
2011/10/03.11:03:35.002305,0.984422,udp,
2011/10/03.11:03:35.002495,1.107643,udp,
2011/10/03.11:03:35.002775,0.078968,udp,
2011/10/03.11:03:35.003062,0.111157,udp,
2011/10/03.11:03:35.003292,0.000000,arp,
2011/10/03.11:03:36.004261,0.062153,udp,


../bin/ra -r /tmp/argus.out -s stime dur proto tcpopt -M xml
<?xml version ="1.0" encoding="UTF-8"?>
<!--Generated by ra(3.0.5.20) QoSient, LLC-->
<ArgusDataStream
  xmlns:xsi = "http://www.w3.org/2001/XMLSchema-instance" 
  xsi:noNamespaceSchemaLocation = "http://qosient.com/argus/Xml/ArgusRecord.3.0.xsd"
  BeginDate = "2011-09-16T11:52:47.355095" CurrentDate = "2011-10-07T13:09:21.721079"
  MajorVersion = "3" MinorVersion = "0.3" InterfaceType = "DLT_NULL" InterfaceStatus = "Up"
  ArgusSourceId = "192.168.0.68"  NetAddr = "0.0.0.0"  NetMask = "0.0.0.0">

 <ArgusFlowRecord  StartTime = "2011-10-03T11:03:27.407610" Duration = "4.820016" Proto = "tcp" TcpOptions = "Mws   T     "></ArgusFlowRecord>
 <ArgusFlowRecord  StartTime = "2011-10-03T11:03:32.657344" Duration = "4.855263" Proto = "tcp" TcpOptions = "Mws   T     "></ArgusFlowRecord>
 <ArgusFlowRecord  StartTime = "2011-10-03T11:03:34.899137" Duration = "0.000719" Proto = "udp"></ArgusFlowRecord>
 <ArgusFlowRecord  StartTime = "2011-10-03T11:03:34.900225" Duration = "0.106366" Proto = "tcp" TcpOptions = "Mws   T     "></ArgusFlowRecord>
 <ArgusFlowRecord  StartTime = "2011-10-03T11:03:35.002305" Duration = "0.984422" Proto = "udp"></ArgusFlowRecord>
 <ArgusFlowRecord  StartTime = "2011-10-03T11:03:35.002495" Duration = "1.107643" Proto = "udp"></ArgusFlowRecord>
 <ArgusFlowRecord  StartTime = "2011-10-03T11:03:35.002775" Duration = "0.078968" Proto = "udp"></ArgusFlowRecord>
 <ArgusFlowRecord  StartTime = "2011-10-03T11:03:35.003062" Duration = "0.111157" Proto = "udp"></ArgusFlowRecord>
 <ArgusFlowRecord  StartTime = "2011-10-03T11:03:35.003292" Duration = "0.000000" Proto = "arp"></ArgusFlowRecord>
 <ArgusFlowRecord  StartTime = "2011-10-03T11:03:36.004261" Duration = "0.062153" Proto = "udp"></ArgusFlowRecord>
</ArgusDataStream>

If you have another way that would work, please holler.  If OK, I'll upload the new clients with this support sometime this weekend.
Carter

On Oct 7, 2011, at 12:06 PM, Carter Bullard wrote:

> Hey Nikki,
> Argus does not capture TCP headers, so we don't have TCP header content, per se.
> We do capture much of the TCP session semantics, so things like negotiated TCP options,
> TCP state progression, etc…., some sequence numbers, etc…. are available.
> 
> But now that I'm looking at the client source, the "tcpopt" and "tcpext" field, didn't make
> the 3.0 cut.  I'll have to put it back in.
> 
> So what in particular are you looking for?  Just the negotiated options at setup?
> 
> Carter
> 
> On Oct 5, 2011, at 10:05 PM, Nichole K. Boscia wrote:
> 
>> 
>> Hi folks,
>> 
>> I need to pull TCP options such as selective ack, timestamps, winscale, etc. for captured flows.  I assume this is captured since it's part of the TCP header, but I'm not seeing how to print out the values with ra tools.
>> 
>> Thanks,
>> -nikki
>> 
>> -------------------------------------------
>> Nichole K. Boscia
>> Senior Network Engineer, CSC
>> NASA Advanced Supercomputing Division
>> Ames Research Center, Moffett Field, CA 94035
>> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20111007/9edee511/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4367 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20111007/9edee511/attachment.bin>

More information about the argus mailing list