Detect packet drops
Peter Van Epp
vanepp at sfu.ca
Thu Feb 2 20:46:41 EST 2012
On Wed, Feb 01, 2012 at 03:10:05PM +0100, elof2 at sentor.se wrote:
>
> On Fri, 27 Jan 2012, Carter Bullard wrote:
> >OK, as I have mentioned before, we do distinguish between 'skipped' sequence numbers,
> >out of order sequence numbers, and retransmitted numbers (data and asks)
>
> Great! Then all that's left to do is to set the appropriate output tags.
>
> What I asked for is actually a much simplier function than what has
> been discussed in the spawned "Another vote for packet drop
> detection"-thread.
>
> See below for my whishes.
>
>
> >The duplicates,
> >such as multiple copies of the exact same packet, is detectable and I put code in to do
> >this, although I don't have any packet files that have the conditions that you describe to
> >verify if they are correct or not, so I haven't finished the support.
>
As doing this properly is likely to be a performance hog at high link
speeds it may be that argus isn't the right place to do it. In theory given
proper change control (which I well know isn't a given :-)) this should be
only a problem when a switch configuration change is made by the network folks.
I suspect the correct answer is a standalone libpcap application that checks
for this error (multiple copies of an identical packet) on the monitored link
and flags it. At high line speeds it too will have performance problems (it
is very expensive in memory bandwidth to compare two packets) but since thats
all its doing its impact can be less. It also should be a persistant thing
so checking once an hour or once a day may be enough to detect the condition
and correct it.
Peter Van Epp
More information about the argus
mailing list