Detect packet drops

Carter Bullard carter at qosient.com
Tue Feb 7 11:11:25 EST 2012 

OK !!!  Any testing on the gap support?  Is it doing what you wanted?
If that is successful, then we can move on to other efforts of esoterica ;o)

Carter


On Feb 7, 2012, at 10:54 AM, elof2 at sentor.se wrote:

> On Thu, 2 Feb 2012, Peter Van Epp wrote:
>>>> The duplicates,
>>>> such as multiple copies of the exact same packet, is detectable and I put code in to do
>>>> this, although I don't have any packet files that have the conditions that you describe to
>>>> verify if they are correct or not, so I haven't finished the support.
>> 
>> 	As doing this properly is likely to be a performance hog at high link
>> speeds it may be that argus isn't the right place to do it. In theory given
>> proper change control (which I well know isn't a given :-)) this should be
>> only a problem when a switch configuration change is made by the network folks.
>> I suspect the correct answer is a standalone libpcap application that checks
>> for this error (multiple copies of an identical packet) on the monitored link
>> and flags it. At high line speeds it too will have performance problems (it
>> is very expensive in memory bandwidth to compare two packets) but since thats
>> all its doing its impact can be less. It also should be a persistant thing
>> so checking once an hour or once a day may be enough to detect the condition
>> and correct it.
> 
> You are quite correct.
> 
> I already got tcpdump, tshark and ngrep, so another tool for just measuring duplicates as well as detecting gaps would be sufficient for me, since I could perform spot tests every now and then instead of wasting cpu resources in argus.
> The problem is just that no such tool seem to exist. :-(
> 
> 
> Detecting duplicates is easy without any additional tool besides tcpdump or tshark:
> Just look for two simillar rows directly after eachother. By adding verbosity to the output you can be sure that the second packet is really a duplicate and not a retransmission by comparing the IP-id. By comparing the TTL-value and MAC-addresses you can rule out packets that look simillar but are in fact sniffed before and after a router hop.
> 
> 
> So the problem is really just the gap detection.
> 
> Ideally I'd like a commandline tool that print a '#' every time it detects a gap.
> 
> /Elof

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120207/d660df1f/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4367 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120207/d660df1f/attachment.bin>

More information about the argus mailing list