ra / racluster - filter on TCP options

jdenton jdenton at itcglobal.com
Fri Jun 7 16:08:09 EDT 2013 

Carter,

Found the 'Kind' field of 30 in the TCP Options pointed to MPTCP and 
RFC6824.
- Other captures of my data show the same, first field 30 { 0x1e }, 
MultipathTCP.

So the ra filter may be simply  ra - tcpopt mptcp

Regards,
Jon




On 6/7/13 2:23 PM, jdenton wrote:
> Carter, Dave,
>
> Looking at my traffic the network vendor appears to set the first byte 
> to 0x1e in the TCP Options field.
> This keeps the traffic normal but allows them to detected the packet.
> To Dave's point, the TCP Options field is 12 bytes of other 'who knows 
> what' info.
> Would you need a filter with byte offsets?
> Wireshark tags it as 'Multipath TCP' but I don't know if that is 
> always the case??
> Will run a few more captures to see if the 'Multipath' label is 
> consistent..
>
> Regards,
> Jon
>
>
>
>
>
>
> On 6/7/13 1:52 PM, David Edelman wrote:
>> Carter,
>>
>> I think that we once discussed tcp and udp options and that they were
>> somehow stored as a long bitmask which accommodated both combinations of
>> options as well as the possibility of locally defined options. If this is
>> the case, would it make sense to do something based on the assigned option
>> number or equivalent name allowing for both options specified and not
>> specified e.g.:
>>
>> ra - tcpopt mss and not syn
>>
>> ra - tcpopt mss and not tcpopt 0x1a
>>
>> --Dave
>>
>> On 6/7/13 5:36 PM, "Carter Bullard"<carter at qosient.com>  wrote:
>>
>>> Hey Jon,
>>> We definately know what the options are, but I don't have any
>>> filter support right now.
>>>
>>> I can add something like:
>>>    ra - tcpopt mss
>>>
>>> I'll need some grammar suggestions for all the options we track,
>>> which are:
>>>
>>> Maxiumum Segment Size
>>> Window Scale
>>> Selective ACK OK
>>> Selective ACK
>>> TCP Echo
>>> TCP Echo Reply
>>> TCP Timestamp
>>> TCP CC
>>> TCP CC New
>>> TCP CC Echo
>>> Source Explicit Congestion Notification
>>> Destination Explicit Congestion Notification
>>>
>>> I can put this in pretty quick, once we figure out the syntax.
>>> Carter
>>>
>>>
>>> On Jun 6, 2013, at 6:14 PM, jdenton<jdenton at itcglobal.com>  wrote:
>>>
>>>> Hi Carter,
>>>>
>>>> Hope all is well.
>>>> Working with some network gear that changes the TCP options on packets
>>>> it processes, is it possible to filter
>>>> in the argus-clients based on TCP header options??  i.e. All traffic
>>>> where  TCP option = 26 or 0x1A.
>>>>
>>>> Thanks,
>>>> Jon
>>>>
>>>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130607/c8940eb4/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dggbfjha.png
Type: image/png
Size: 36542 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130607/c8940eb4/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 26025 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130607/c8940eb4/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 29756 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130607/c8940eb4/attachment-0002.png>

More information about the argus mailing list