Printing TCP Options?

Nichole K. Boscia Nichole.K.Boscia at nasa.gov
Fri Oct 7 15:55:42 EDT 2011 

Hi Carter,

Yes, this is exactly what I am looking for -- negotiated TCP options. Most of 
the options are okay as you define them below, except for something like 
winscale, which will have an integer value associated with it.  It's still 
better than what we have now though, so I am excited to see this update from 
you!

Thanks,
-Nikki

-------------------------------------------
Nichole K. Boscia
Senior Network Engineer, CSC
NASA Advanced Supercomputing Division
Ames Research Center, Moffett Field, CA 94035

On Fri, 7 Oct 2011, Carter Bullard wrote:

> Date: Fri, 7 Oct 2011 12:25:47 -0500
> From: Carter Bullard <carter at qosient.com>
> To: "Boscia, Nichole K. (ARC-TN)[Computer Sciences Corporation]"
>     <nichole.boscia at nasa.gov>
> Cc: Argus <argus-info at lists.andrew.cmu.edu>
> Subject: Re: [ARGUS] Printing TCP Options?
> 
> Hey Nikki,
> Since I hadn't shifted the "tcpopt" field into argus-clients-3.x, we can specify its output now if you don't like what is now there.
> Currently, it is implemented like the "flgs" field, a fixed length string with single characters used to indicate the state for a particular value.
>
> We have 12 TCP options that we need to convey from our TCP options bitmap, so the field is 12 characters long, with spaces used for placement.  A unique character is used to specify that a specific option is on.  Here is the current format:
>
> ARGUS_TCP_MAXSEG:    option[0]  = 'M'
> ARGUS_TCP_WSCALE:    option[1]  = 'w'
> ARGUS_TCP_SACKOK:    option[2]  = 's'
> ARGUS_TCP_SACK:      option[3]  = 'S'
> ARGUS_TCP_ECHO:      option[4]  = 'e'
> ARGUS_TCP_ECHOREPLY: option[5]  = 'E'
> ARGUS_TCP_TIMESTAMP: option[6]  = 'T'
> ARGUS_TCP_CC:        option[7]  = 'c'
> ARGUS_TCP_CCNEW:     option[8]  = 'N'
> ARGUS_TCP_CCECHO:    option[9]  = 'O'
> ARGUS_TCP_SRC_ECN:   option[10] = 'S'
> ARGUS_TCP_DST_ECN:   option[11] = 'D'
>
> And here is how it looks with the various ra.1 printing options, space filled, character delimited, and XML:
>
> ../bin/ra -r /tmp/argus.out -s stime dur proto tcpopt
>                 StartTime        Dur  Proto       TcpOpt
> 2011/10/03.11:03:27.407610   4.820016    tcp Mws   T
> 2011/10/03.11:03:32.657344   4.855263    tcp Mws   T
> 2011/10/03.11:03:34.899137   0.000719    udp
> 2011/10/03.11:03:34.900225   0.106366    tcp Mws   T
> 2011/10/03.11:03:35.002305   0.984422    udp
> 2011/10/03.11:03:35.002495   1.107643    udp
> 2011/10/03.11:03:35.002775   0.078968    udp
> 2011/10/03.11:03:35.003062   0.111157    udp
> 2011/10/03.11:03:35.003292   0.000000    arp
> 2011/10/03.11:03:36.004261   0.062153    udp
>
>
> ../bin/ra -r /tmp/argus.out -s stime dur proto tcpopt -c ,
> StartTime,Dur,Proto,TcpOpt
> 2011/10/03.11:03:27.407610,4.820016,tcp,Mws   T
> 2011/10/03.11:03:32.657344,4.855263,tcp,Mws   T
> 2011/10/03.11:03:34.899137,0.000719,udp,
> 2011/10/03.11:03:34.900225,0.106366,tcp,Mws   T
> 2011/10/03.11:03:35.002305,0.984422,udp,
> 2011/10/03.11:03:35.002495,1.107643,udp,
> 2011/10/03.11:03:35.002775,0.078968,udp,
> 2011/10/03.11:03:35.003062,0.111157,udp,
> 2011/10/03.11:03:35.003292,0.000000,arp,
> 2011/10/03.11:03:36.004261,0.062153,udp,
>
>
> ../bin/ra -r /tmp/argus.out -s stime dur proto tcpopt -M xml
> <?xml version ="1.0" encoding="UTF-8"?>
> <!--Generated by ra(3.0.5.20) QoSient, LLC-->
> <ArgusDataStream
>  xmlns:xsi = "http://www.w3.org/2001/XMLSchema-instance"
>  xsi:noNamespaceSchemaLocation = "http://qosient.com/argus/Xml/ArgusRecord.3.0.xsd"
>  BeginDate = "2011-09-16T11:52:47.355095" CurrentDate = "2011-10-07T13:09:21.721079"
>  MajorVersion = "3" MinorVersion = "0.3" InterfaceType = "DLT_NULL" InterfaceStatus = "Up"
>  ArgusSourceId = "192.168.0.68"  NetAddr = "0.0.0.0"  NetMask = "0.0.0.0">
>
> <ArgusFlowRecord  StartTime = "2011-10-03T11:03:27.407610" Duration = "4.820016" Proto = "tcp" TcpOptions = "Mws   T     "></ArgusFlowRecord>
> <ArgusFlowRecord  StartTime = "2011-10-03T11:03:32.657344" Duration = "4.855263" Proto = "tcp" TcpOptions = "Mws   T     "></ArgusFlowRecord>
> <ArgusFlowRecord  StartTime = "2011-10-03T11:03:34.899137" Duration = "0.000719" Proto = "udp"></ArgusFlowRecord>
> <ArgusFlowRecord  StartTime = "2011-10-03T11:03:34.900225" Duration = "0.106366" Proto = "tcp" TcpOptions = "Mws   T     "></ArgusFlowRecord>
> <ArgusFlowRecord  StartTime = "2011-10-03T11:03:35.002305" Duration = "0.984422" Proto = "udp"></ArgusFlowRecord>
> <ArgusFlowRecord  StartTime = "2011-10-03T11:03:35.002495" Duration = "1.107643" Proto = "udp"></ArgusFlowRecord>
> <ArgusFlowRecord  StartTime = "2011-10-03T11:03:35.002775" Duration = "0.078968" Proto = "udp"></ArgusFlowRecord>
> <ArgusFlowRecord  StartTime = "2011-10-03T11:03:35.003062" Duration = "0.111157" Proto = "udp"></ArgusFlowRecord>
> <ArgusFlowRecord  StartTime = "2011-10-03T11:03:35.003292" Duration = "0.000000" Proto = "arp"></ArgusFlowRecord>
> <ArgusFlowRecord  StartTime = "2011-10-03T11:03:36.004261" Duration = "0.062153" Proto = "udp"></ArgusFlowRecord>
> </ArgusDataStream>
>
> If you have another way that would work, please holler.  If OK, I'll upload the new clients with this support sometime this weekend.
> Carter
>
> On Oct 7, 2011, at 12:06 PM, Carter Bullard wrote:
>
>> Hey Nikki,
>> Argus does not capture TCP headers, so we don't have TCP header content, per se.
>> We do capture much of the TCP session semantics, so things like negotiated TCP options,
>> TCP state progression, etc…., some sequence numbers, etc…. are available.
>>
>> But now that I'm looking at the client source, the "tcpopt" and "tcpext" field, didn't make
>> the 3.0 cut.  I'll have to put it back in.
>>
>> So what in particular are you looking for?  Just the negotiated options at setup?
>>
>> Carter
>>
>> On Oct 5, 2011, at 10:05 PM, Nichole K. Boscia wrote:
>>
>>>
>>> Hi folks,
>>>
>>> I need to pull TCP options such as selective ack, timestamps, winscale, etc. for captured flows.  I assume this is captured since it's part of the TCP header, but I'm not seeing how to print out the values with ra tools.
>>>
>>> Thanks,
>>> -nikki
>>>
>>> -------------------------------------------
>>> Nichole K. Boscia
>>> Senior Network Engineer, CSC
>>> NASA Advanced Supercomputing Division
>>> Ames Research Center, Moffett Field, CA 94035
>>>
>>
>
>

More information about the argus mailing list