Detect packet drops
Peter Van Epp
vanepp at sfu.ca
Wed Jan 25 23:08:22 EST 2012
On Wed, Jan 25, 2012 at 02:02:08PM +0100, elof2 at sentor.se wrote:
>
> Hi Carter!
>
> Any more thoughts or progress with this?
>
> I just realised that I can't even rely on Wireshark for an estimate
> of dropped packets, since Wireshark's Expert Info "ACKed lost
> segment" tag out-of-order FIN-packets as "ACKed lost segment".
>
> What I'm looking for is not a 100% accurate system to count every
> missing packet (which is impossible to determine), but a flag on
> each session that argus know is missing one or more packets.
> Just like the flag for retransmission doesn't say how many
> retransmissions there were in a tcp flow.
>
Checking the pcap reported loss rate (its in the man records which
you have to enable to see these days) will give you an indication, although
it is only one of the several ways your sensor can be losing packets, is one
good indication of how your sensor is doing. There is an explaination of a
number of the possible (and usually invisible) loss points in a sensor on
Carter's web site at http://www.qosient.com/argus/sensorPerformance.shtml as
well.
Comparing the RMON traffic counts reported by the switch feeding your
sensor against the argus counts is another way although syncronizing the two
counts can be exciting :-). Both of these only indicate loss of data that makes
it as far as your sensor of course and isn't an indication of loss else where
in the path but thats a start ...
As well using something like tcpreplay from a pcap file with suitable
hardware (which can get very hard at high speed of course :-)) feeding in to
your sensor can give you a known input traffic pattern to estimate sensor loss
as well.
Peter Van Epp
well.
More information about the argus
mailing list