Duplicate packets

[Carter Bullard]

Hey /Elof,
So this is, again, a somewhat sticky situation, as I'm thinking that
there are a few situations in which rejecting a duplicate/identical
packet is the wrong thing to do, so I'm still at a loss as to how
to approach this problem.  If I could get some more packet traces
that had duplicates in them, I maybe able to work something out.

I haven't been idle on this topic.  We've enhanced the flow keys to
try to count the duplicates, but discriminate the dups and track them
in their own flows.  I believe this is the right thing to do, as the
packets are really on the wire, and we're all about telling you
about what is really on the wire.  I have implemented silly packet
rejection, which does get close to the situations you described,
but I'm non thinking its the best solution.

Send some sample packet files, and lets discuss in detail.
It will be a key feature in post argus-3.0.8, which is coming
up in hopefully a few weeks.

Carter


On Sep 24, 2013, at 10:16 AM, elof2 at sentor.se wrote:

> 
> Hi Glen and Carter.
> 
> Glen, Carter and I discussed this problem some years back, but I don't think anything was officially released.
> 
> The thoughts at that time was that:
> * argus receive a packet from SPAN
> * argus do its processing
> * a new packet is received from SPAN
> * argus compares if
>  * this very next packet is identical to the previous one and
>  * it arrived within an extremely short period of time
>  = tag this flow as having duplicates instead of retransmissions.
> 
> The faulty SPAN will always send the two identical packets directly after eachother. No other packet will be inserted in between, so no need for argus to check longer back than the very previous packet.
> 
> There might be situations where identical packets are seen on the wire that are NOT SPAN-duplicates. Say you have a completely silent network except for some machine that send an UDP broadcast announcement every second.
> This packet could be identical to the last one. Same ports, same TTL, same MAC-addresses and even the same IPid (usually set to 0).
> These packets won't be considered duplicates since they weren't received extremely fast after the first packet.
> 
> 
> The result if argus had this functionality would be to
> a) detect bad/faulty SPAN setup (which is very common)
> b) no longer log duplicates as restransmissions as is done today
> 
> 
> 
> In Feb 2012, Carter wrote:
> "The duplicates, such as multiple copies of the exact same packet, is detectable and I put code in to do this"
> *snip*
> 
> I don't think that code was ever tested or put into production though.
> Do you remember, Carter?
> 
> /Elof
> 
> 
> On Wed, 18 Sep 2013, Carter Bullard wrote:
> 
>> Hey Glen,
>> No, at least not at the moment, there isn't any logic in argus to realize that there are dups on the wire, but there are indirect methods for the clients to detect this.
>> 
>> Things like very high retransmit rates, i.e. 50-100% for TCP, flow rates that exceed known rates for specific flows, and duplicates for transactions that should not have duplicates, like DNS, are all indications of packet collection duplication that is not really on the wire.
>> 
>> I'm not sure that we should put it in argus, but we could do something in the clients !!!
>> 
>> Carter
>> 
>> 
>> 
>> On Sep 18, 2013, at 5:34 AM, Glen Bojsza <gbojsza at finepoint.com> wrote:
>> 
>>> Is it possible or is there way that would allow argus to notify the user of duplicate packets detected?
>>> 
>>> For example we are looking to alert a user if the switch mirror port is configured incorrectly and is reporting packets twice, once on ingress and once on egress.
>>> 
>>> regards
>>> GB
>>> 
>> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130926/905446f6/attachment.bin>