Detect packet drops

elof2 at sentor.se elof2 at sentor.se
Tue Feb 7 10:54:48 EST 2012 

On Thu, 2 Feb 2012, Peter Van Epp wrote:
>>> The duplicates,
>>> such as multiple copies of the exact same packet, is detectable and I put code in to do
>>> this, although I don't have any packet files that have the conditions that you describe to
>>> verify if they are correct or not, so I haven't finished the support.
>
> 	As doing this properly is likely to be a performance hog at high link
> speeds it may be that argus isn't the right place to do it. In theory given
> proper change control (which I well know isn't a given :-)) this should be
> only a problem when a switch configuration change is made by the network folks.
> I suspect the correct answer is a standalone libpcap application that checks
> for this error (multiple copies of an identical packet) on the monitored link
> and flags it. At high line speeds it too will have performance problems (it
> is very expensive in memory bandwidth to compare two packets) but since thats
> all its doing its impact can be less. It also should be a persistant thing
> so checking once an hour or once a day may be enough to detect the condition
> and correct it.

You are quite correct.

I already got tcpdump, tshark and ngrep, so another tool for just 
measuring duplicates as well as detecting gaps would be sufficient for me, 
since I could perform spot tests every now and then instead of wasting cpu 
resources in argus.
The problem is just that no such tool seem to exist. :-(


Detecting duplicates is easy without any additional tool besides tcpdump 
or tshark:
Just look for two simillar rows directly after eachother. By adding 
verbosity to the output you can be sure that the second packet is really a 
duplicate and not a retransmission by comparing the IP-id. By comparing 
the TTL-value and MAC-addresses you can rule out packets that look 
simillar but are in fact sniffed before and after a router hop.


So the problem is really just the gap detection.

Ideally I'd like a commandline tool that print a '#' every time it 
detects a gap.

/Elof

More information about the argus mailing list