ra / racluster - filter on TCP options

jdenton jdenton at itcglobal.com
Fri Jun 7 15:23:26 EDT 2013 

Carter, Dave,

Looking at my traffic the network vendor appears to set the first byte 
to 0x1e in the TCP Options field.
This keeps the traffic normal but allows them to detected the packet.
To Dave's point, the TCP Options field is 12 bytes of other 'who knows 
what' info.
Would you need a filter with byte offsets?
Wireshark tags it as 'Multipath TCP' but I don't know if that is always 
the case??
Will run a few more captures to see if the 'Multipath' label is consistent..

Regards,
Jon






On 6/7/13 1:52 PM, David Edelman wrote:
> Carter,
>
> I think that we once discussed tcp and udp options and that they were
> somehow stored as a long bitmask which accommodated both combinations of
> options as well as the possibility of locally defined options. If this is
> the case, would it make sense to do something based on the assigned option
> number or equivalent name allowing for both options specified and not
> specified e.g.:
>
> ra - tcpopt mss and not syn
>
> ra - tcpopt mss and not tcpopt 0x1a
>
> --Dave
>
> On 6/7/13 5:36 PM, "Carter Bullard" <carter at qosient.com> wrote:
>
>> Hey Jon,
>> We definately know what the options are, but I don't have any
>> filter support right now.
>>
>> I can add something like:
>>    ra - tcpopt mss
>>
>> I'll need some grammar suggestions for all the options we track,
>> which are:
>>
>> Maxiumum Segment Size
>> Window Scale
>> Selective ACK OK
>> Selective ACK
>> TCP Echo
>> TCP Echo Reply
>> TCP Timestamp
>> TCP CC
>> TCP CC New
>> TCP CC Echo
>> Source Explicit Congestion Notification
>> Destination Explicit Congestion Notification
>>
>> I can put this in pretty quick, once we figure out the syntax.
>> Carter
>>
>>
>> On Jun 6, 2013, at 6:14 PM, jdenton <jdenton at itcglobal.com> wrote:
>>
>>> Hi Carter,
>>>
>>> Hope all is well.
>>> Working with some network gear that changes the TCP options on packets
>>> it processes, is it possible to filter
>>> in the argus-clients based on TCP header options??  i.e. All traffic
>>> where  TCP option = 26 or 0x1A.
>>>
>>> Thanks,
>>> Jon
>>>
>>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130607/2d7ee9a5/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: jgijadij.png
Type: image/png
Size: 26025 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130607/2d7ee9a5/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: hdahafbf.png
Type: image/png
Size: 29756 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130607/2d7ee9a5/attachment-0001.png>

More information about the argus mailing list