Under what circumstances will an ICMP flow with state ECO return dbytes of 0?

Carter Bullard carter at qosient.com
Fri Jan 3 16:08:09 EST 2014


What is node liveliness ???  I can imagine, but its not a normal metric.
So dpkts == 0  ???  Means "no response", no one at home.

But the failure to get a packet back could be that the machine didn't
get the Echo, got it but didn't respond, responded but the response
was lost.  These equate to Reachable, Available, Connectable.  We
differentiate these based on a list of criteria.
 
You could have gotten a different type of ICMP packet back, such as an
Unreachable...  Look at the flgs field for an 'I', showing that the packet
got an ICMP mapped to the original packet, but not an Echo.  With that
you will get a duration, for the single packet flow, and the field " inode "
will have the address of the intermediate node that generated the ICMP.

Carter


On Jan 3, 2014, at 2:34 PM, Matt Brown <matthewbrown at gmail.com> wrote:

> Hello again,
> 
> I am investigating how to use argus for "node liveliness detection."
> 
> Considering leveraging ra() as:
> 
> ra -S 127.0.0.1:561 -s ltime stime daddr sport sbytes dbytes flgs state - icmp
> 
> I see dbytes can be 0 when the state of a flow is ECO.
> 
> Why would this be?
> 
> 
> I have covered this question thoroughly on the network engineering
> stackexchange: http://networkengineering.stackexchange.com/q/5683
> 
> 
> I think this is my last question for the day!
> 
> 
> Thanks,
> 
> Matt
> 
> 
> 
> Any assistance is appreciated.
> 
> 
> Thanks,
> 
> Matt
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140103/ccf518a9/attachment.bin>


More information about the argus mailing list