TCP port 0 or *?
Peter Van Epp
vanepp at sfu.ca
Mon Aug 18 13:48:09 EDT 2014
On Mon, Aug 18, 2014 at 08:40:00AM -0400, John T. Myers wrote:
> Carter,
>
> I???m not seeing any ???F??? in the flgs field, but I am seeing some ???g???aps. This collect is just from a VM where there is very little traffic. All of the partial ???f???ragments are being caused by a MySQL connection (between MySQL Workbench and a DB that rasqlinsert is feeding into). We???re talking < 100 flows per second so I???m wondering why it???s missing the first fragmented packet.
>
>
Given it is a low utilization link running tcpdump on the input traffic
at the same time as argus should be both easy and illuminating. If the frags
really are in the input discovering why they are there would be good (most
modern non wide area networks shouldn't be fragmenting) and it they don't
appear on the input the tcpdump file gives Carter a useful test case to see
why argus is reacting badly assuming the traffic can be released.
Peter Van Epp
More information about the argus
mailing list