Printing TCP Options?

Carter Bullard carter at qosient.com
Fri Oct 7 16:14:26 EDT 2011 

Hey Nikki,
I do understand.  We have the actual window scale value that was used, as we use it when calculating the " swin " and " dwin " values, so not sure that that specific option is a problem.
The most important ones, for me, are the CC and CC.NEW options, as they are needed to figure out what is going on when you don't see the Syn/SynAck/Ack volley.  That way you could see that they are using Transactional TCP.   We don't capture the CC values in this current version of Argus.

OK, well this is in argus-clients-3.0.5.21, which I've just now put up on the server.
If you find any problems with the " tcpopt " option, holler !!!!

Carter


On Oct 7, 2011, at 3:55 PM, Nichole K. Boscia wrote:

> 
> Hi Carter,
> 
> Yes, this is exactly what I am looking for -- negotiated TCP options. Most of the options are okay as you define them below, except for something like winscale, which will have an integer value associated with it.  It's still better than what we have now though, so I am excited to see this update from you!
> 
> Thanks,
> -Nikki
> 
> -------------------------------------------
> Nichole K. Boscia
> Senior Network Engineer, CSC
> NASA Advanced Supercomputing Division
> Ames Research Center, Moffett Field, CA 94035
> 
> On Fri, 7 Oct 2011, Carter Bullard wrote:
> 
>> Date: Fri, 7 Oct 2011 12:25:47 -0500
>> From: Carter Bullard <carter at qosient.com>
>> To: "Boscia, Nichole K. (ARC-TN)[Computer Sciences Corporation]"
>>    <nichole.boscia at nasa.gov>
>> Cc: Argus <argus-info at lists.andrew.cmu.edu>
>> Subject: Re: [ARGUS] Printing TCP Options?
>> Hey Nikki,
>> Since I hadn't shifted the "tcpopt" field into argus-clients-3.x, we can specify its output now if you don't like what is now there.
>> Currently, it is implemented like the "flgs" field, a fixed length string with single characters used to indicate the state for a particular value.
>> 
>> We have 12 TCP options that we need to convey from our TCP options bitmap, so the field is 12 characters long, with spaces used for placement.  A unique character is used to specify that a specific option is on.  Here is the current format:
>> 
>> ARGUS_TCP_MAXSEG:    option[0]  = 'M'
>> ARGUS_TCP_WSCALE:    option[1]  = 'w'
>> ARGUS_TCP_SACKOK:    option[2]  = 's'
>> ARGUS_TCP_SACK:      option[3]  = 'S'
>> ARGUS_TCP_ECHO:      option[4]  = 'e'
>> ARGUS_TCP_ECHOREPLY: option[5]  = 'E'
>> ARGUS_TCP_TIMESTAMP: option[6]  = 'T'
>> ARGUS_TCP_CC:        option[7]  = 'c'
>> ARGUS_TCP_CCNEW:     option[8]  = 'N'
>> ARGUS_TCP_CCECHO:    option[9]  = 'O'
>> ARGUS_TCP_SRC_ECN:   option[10] = 'S'
>> ARGUS_TCP_DST_ECN:   option[11] = 'D'
>> 
>> And here is how it looks with the various ra.1 printing options, space filled, character delimited, and XML:
>> 
>> ../bin/ra -r /tmp/argus.out -s stime dur proto tcpopt
>>                StartTime        Dur  Proto       TcpOpt
>> 2011/10/03.11:03:27.407610   4.820016    tcp Mws   T
>> 2011/10/03.11:03:32.657344   4.855263    tcp Mws   T
>> 2011/10/03.11:03:34.899137   0.000719    udp
>> 2011/10/03.11:03:34.900225   0.106366    tcp Mws   T
>> 2011/10/03.11:03:35.002305   0.984422    udp
>> 2011/10/03.11:03:35.002495   1.107643    udp
>> 2011/10/03.11:03:35.002775   0.078968    udp
>> 2011/10/03.11:03:35.003062   0.111157    udp
>> 2011/10/03.11:03:35.003292   0.000000    arp
>> 2011/10/03.11:03:36.004261   0.062153    udp
>> 
>> 
>> ../bin/ra -r /tmp/argus.out -s stime dur proto tcpopt -c ,
>> StartTime,Dur,Proto,TcpOpt
>> 2011/10/03.11:03:27.407610,4.820016,tcp,Mws   T
>> 2011/10/03.11:03:32.657344,4.855263,tcp,Mws   T
>> 2011/10/03.11:03:34.899137,0.000719,udp,
>> 2011/10/03.11:03:34.900225,0.106366,tcp,Mws   T
>> 2011/10/03.11:03:35.002305,0.984422,udp,
>> 2011/10/03.11:03:35.002495,1.107643,udp,
>> 2011/10/03.11:03:35.002775,0.078968,udp,
>> 2011/10/03.11:03:35.003062,0.111157,udp,
>> 2011/10/03.11:03:35.003292,0.000000,arp,
>> 2011/10/03.11:03:36.004261,0.062153,udp,
>> 
>> 
>> ../bin/ra -r /tmp/argus.out -s stime dur proto tcpopt -M xml
>> <?xml version ="1.0" encoding="UTF-8"?>
>> <!--Generated by ra(3.0.5.20) QoSient, LLC-->
>> <ArgusDataStream
>> xmlns:xsi = "http://www.w3.org/2001/XMLSchema-instance"
>> xsi:noNamespaceSchemaLocation = "http://qosient.com/argus/Xml/ArgusRecord.3.0.xsd"
>> BeginDate = "2011-09-16T11:52:47.355095" CurrentDate = "2011-10-07T13:09:21.721079"
>> MajorVersion = "3" MinorVersion = "0.3" InterfaceType = "DLT_NULL" InterfaceStatus = "Up"
>> ArgusSourceId = "192.168.0.68"  NetAddr = "0.0.0.0"  NetMask = "0.0.0.0">
>> 
>> <ArgusFlowRecord  StartTime = "2011-10-03T11:03:27.407610" Duration = "4.820016" Proto = "tcp" TcpOptions = "Mws   T     "></ArgusFlowRecord>
>> <ArgusFlowRecord  StartTime = "2011-10-03T11:03:32.657344" Duration = "4.855263" Proto = "tcp" TcpOptions = "Mws   T     "></ArgusFlowRecord>
>> <ArgusFlowRecord  StartTime = "2011-10-03T11:03:34.899137" Duration = "0.000719" Proto = "udp"></ArgusFlowRecord>
>> <ArgusFlowRecord  StartTime = "2011-10-03T11:03:34.900225" Duration = "0.106366" Proto = "tcp" TcpOptions = "Mws   T     "></ArgusFlowRecord>
>> <ArgusFlowRecord  StartTime = "2011-10-03T11:03:35.002305" Duration = "0.984422" Proto = "udp"></ArgusFlowRecord>
>> <ArgusFlowRecord  StartTime = "2011-10-03T11:03:35.002495" Duration = "1.107643" Proto = "udp"></ArgusFlowRecord>
>> <ArgusFlowRecord  StartTime = "2011-10-03T11:03:35.002775" Duration = "0.078968" Proto = "udp"></ArgusFlowRecord>
>> <ArgusFlowRecord  StartTime = "2011-10-03T11:03:35.003062" Duration = "0.111157" Proto = "udp"></ArgusFlowRecord>
>> <ArgusFlowRecord  StartTime = "2011-10-03T11:03:35.003292" Duration = "0.000000" Proto = "arp"></ArgusFlowRecord>
>> <ArgusFlowRecord  StartTime = "2011-10-03T11:03:36.004261" Duration = "0.062153" Proto = "udp"></ArgusFlowRecord>
>> </ArgusDataStream>
>> 
>> If you have another way that would work, please holler.  If OK, I'll upload the new clients with this support sometime this weekend.
>> Carter
>> 
>> On Oct 7, 2011, at 12:06 PM, Carter Bullard wrote:
>> 
>>> Hey Nikki,
>>> Argus does not capture TCP headers, so we don't have TCP header content, per se.
>>> We do capture much of the TCP session semantics, so things like negotiated TCP options,
>>> TCP state progression, etc…., some sequence numbers, etc…. are available.
>>> 
>>> But now that I'm looking at the client source, the "tcpopt" and "tcpext" field, didn't make
>>> the 3.0 cut.  I'll have to put it back in.
>>> 
>>> So what in particular are you looking for?  Just the negotiated options at setup?
>>> 
>>> Carter
>>> 
>>> On Oct 5, 2011, at 10:05 PM, Nichole K. Boscia wrote:
>>> 
>>>> 
>>>> Hi folks,
>>>> 
>>>> I need to pull TCP options such as selective ack, timestamps, winscale, etc. for captured flows.  I assume this is captured since it's part of the TCP header, but I'm not seeing how to print out the values with ra tools.
>>>> 
>>>> Thanks,
>>>> -nikki
>>>> 
>>>> -------------------------------------------
>>>> Nichole K. Boscia
>>>> Senior Network Engineer, CSC
>>>> NASA Advanced Supercomputing Division
>>>> Ames Research Center, Moffett Field, CA 94035
>>>> 
>>> 
>> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4367 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20111007/f5ae9af2/attachment.bin>

More information about the argus mailing list