A couple troubleshooting questions...
Craig Merchant
craig.merchant at oracle.com
Wed Jul 23 17:41:48 EDT 2014
I've been trying to troubleshoot why Argus is having a tough time determining the direction of flows (approximately 40% of flows). We also seem to be seeing a fairly high number of flows with gaps (approximately 15%). Although oddly enough, only about 20% of flows with questionable direction have gaps in them.
What I am seeing is that the overwhelming majority of traffic with gaps in the sequence numbers have either TCP 0 or TCP 25 as the source port or TCP 25 as the destination. After doing a little reading (http://www.lovemytool.com/blog/2013/08/the-strange-history-of-port-0-by-jim-macleod.html), TCP 0 doesn't seem to mean that the source port was defined as 0, but that it means a Layer 4 header wasn't included in the packet. This article implies that packet fragmentation is often a cause of this, but I'm not seeing TCP flags indicating any kind of fragmentation.
What does a packet with TCP 0 as a source port mean in Argus?
Is there anything special about SMTP that might generate a higher volume of gaps than other types of traffic? We're an ESP, so we send and receive a ton of email on behalf of our customers. But I'm also not seeing gaps in other types of traffic (like HTTPS) between us and the Internet.
Thanks.
Craig
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140723/e375f64b/attachment.html>
More information about the argus
mailing list