ra / racluster - filter on TCP options
David Edelman
dedelman at iname.com
Fri Jun 7 14:52:43 EDT 2013
Carter,
I think that we once discussed tcp and udp options and that they were
somehow stored as a long bitmask which accommodated both combinations of
options as well as the possibility of locally defined options. If this is
the case, would it make sense to do something based on the assigned option
number or equivalent name allowing for both options specified and not
specified e.g.:
ra - tcpopt mss and not syn
ra - tcpopt mss and not tcpopt 0x1a
--Dave
On 6/7/13 5:36 PM, "Carter Bullard" <carter at qosient.com> wrote:
>Hey Jon,
>We definately know what the options are, but I don't have any
>filter support right now.
>
>I can add something like:
> ra - tcpopt mss
>
>I'll need some grammar suggestions for all the options we track,
>which are:
>
> Maxiumum Segment Size
> Window Scale
> Selective ACK OK
> Selective ACK
> TCP Echo
> TCP Echo Reply
> TCP Timestamp
> TCP CC
> TCP CC New
> TCP CC Echo
> Source Explicit Congestion Notification
> Destination Explicit Congestion Notification
>
>I can put this in pretty quick, once we figure out the syntax.
>Carter
>
>
>On Jun 6, 2013, at 6:14 PM, jdenton <jdenton at itcglobal.com> wrote:
>
>> Hi Carter,
>>
>> Hope all is well.
>> Working with some network gear that changes the TCP options on packets
>>it processes, is it possible to filter
>> in the argus-clients based on TCP header options?? i.e. All traffic
>>where TCP option = 26 or 0x1A.
>>
>> Thanks,
>> Jon
>>
>>
>
More information about the argus
mailing list