Duplicate packets

elof2 at sentor.se elof2 at sentor.se
Tue Sep 24 10:16:55 EDT 2013 

Hi Glen and Carter.

Glen, Carter and I discussed this problem some years back, but I don't 
think anything was officially released.

The thoughts at that time was that:
* argus receive a packet from SPAN
* argus do its processing
* a new packet is received from SPAN
* argus compares if
   * this very next packet is identical to the previous one and
   * it arrived within an extremely short period of time
   = tag this flow as having duplicates instead of retransmissions.

The faulty SPAN will always send the two identical packets directly after 
eachother. No other packet will be inserted in between, so no need for 
argus to check longer back than the very previous packet.

There might be situations where identical packets are seen on the wire 
that are NOT SPAN-duplicates. Say you have a completely silent network 
except for some machine that send an UDP broadcast announcement every 
second.
This packet could be identical to the last one. Same ports, same TTL, same 
MAC-addresses and even the same IPid (usually set to 0).
These packets won't be considered duplicates since they weren't received 
extremely fast after the first packet.


The result if argus had this functionality would be to
a) detect bad/faulty SPAN setup (which is very common)
b) no longer log duplicates as restransmissions as is done today



In Feb 2012, Carter wrote:
"The duplicates, such as multiple copies of the exact same packet, is 
detectable and I put code in to do this"
*snip*

I don't think that code was ever tested or put into production though.
Do you remember, Carter?

/Elof


On Wed, 18 Sep 2013, Carter Bullard wrote:

> Hey Glen,
> No, at least not at the moment, there isn't any logic in argus to realize that there are dups on the wire, but there are indirect methods for the clients to detect this.
>
> Things like very high retransmit rates, i.e. 50-100% for TCP, flow rates that exceed known rates for specific flows, and duplicates for transactions that should not have duplicates, like DNS, are all indications of packet collection duplication that is not really on the wire.
>
> I'm not sure that we should put it in argus, but we could do something in the clients !!!
>
> Carter
>
>
>
> On Sep 18, 2013, at 5:34 AM, Glen Bojsza <gbojsza at finepoint.com> wrote:
>
>> Is it possible or is there way that would allow argus to notify the user of duplicate packets detected?
>>
>> For example we are looking to alert a user if the switch mirror port is configured incorrectly and is reporting packets twice, once on ingress and once on egress.
>>
>> regards
>> GB
>>
>

More information about the argus mailing list